Extended Core File Snapshot (ECFS) technology is a piece of software that plugs into the Linux core handler and creates specialized process memory snapshots specifically designed with process memory forensics in mind. Most people have no idea how to parse a process image, let alone how to examine one for anomalies. Even for experts, it can be an arduous task to look at a process image and detect infections or malware.

Before ECFS, there existed no real standard for snapshotting of a process image other than using core files, which can be created on demand using the gcore script that comes with most Linux distributions. As briefly discussed in the previous chapter, regular core files are ...