Learning more about ECFS

The extended core file snapshot technology, ECFS, is still relatively new. I presented on it at defcon 23 (https://www.defcon.org/html/defcon-23/dc-23-speakers.html#O%27Neill), and the word is still spreading. Hopefully, a community will evolve and more people will begin adopting ECFS for their daily forensics work and tools. Nonetheless, at this point, there are several resources for ECFS in existence:

The official GitHub page: https://github.com/elfmaster/ecfs

The original white paper (outdated): http://www.leviathansecurity.com/white-papers/extending-the-elf-core-format-for-forensics-snapshots
An article from POC || GTFO 0x7: Innovations with core files, https://speakerdeck.com/ange/poc-gtfo-issue-0x07-1

Get Learning Linux Binary Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Learning Linux Binary Analysis by Ryan elfmaster O'Neill

Learning more about ECFS

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly