Learning more about ECFS
The extended core file snapshot technology, ECFS, is still relatively new. I presented on it at defcon 23 (https://www.defcon.org/html/defcon-23/dc-23-speakers.html#O%27Neill), and the word is still spreading. Hopefully, a community will evolve and more people will begin adopting ECFS for their daily forensics work and tools. Nonetheless, at this point, there are several resources for ECFS in existence:
The official GitHub page: https://github.com/elfmaster/ecfs
The original white paper (outdated): http://www.leviathansecurity.com/white-papers/extending-the-elf-core-format-for-forensics-snapshots
An article from POC || GTFO 0x7: Innovations with core files, https://speakerdeck.com/ange/poc-gtfo-issue-0x07-1