[Vol-dev] AW: CashDump-Issue

Oh, oh, forget my last posting: I've used the wrong offset for the SECURITY-Hive within that example. SORRY. Using an older SP2-dump it worked fine. Found no wrong code within the script. ;-) But the script was not able to extract the LSA key from a SP3-dump. Does anyone have a solution for that? How the LSA key may get extracted otherwise? It MUST be somewhere in the lsass-process, right? TNX in advance and sorry for the wrong posting again. Cu Michael Von: Michael Felber , Steufa Chemnitz, IT-Forensik [mailto:MichaelFelber@gmx.net] Gesendet: Donnerstag, 10. September 2009 16:42 An: &#39;vol-dev(a)volatilityfoundation.org&#39; Betreff: CashDump-Issue Hello, according a hint of Andreas (TNX!!) I've tackled the problem of extracting cached domain credentials from a memory-dump. At the end of my path of epiphany I saw that Volatility already has a plugin doing that: hashdump.py. Great. While giving it a try I only got error messages like Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 215, in main command.execute() File "memory_plugins\registry/hashdump.py", line 78, in execute dump_memory_hashes(addr_space, types, self.opts.syshive, self.opts.samhive, prof) File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 305, in dump_memory_hashes dump_hashes(sysaddr, samaddr, profile) File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 289, in dump_hashes bootkey = get_bootkey(sysaddr,profile) File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 131, in get_bootkey class_data = sysaddr.read(key.Class, key.ClassLength) AttributeError: 'NoneType' object has no attribute 'Class' missed. Or did I miss something? I have applied all the recent patches posted in this list. The full console dump is attached for kindly being reviewed. Cu Mic