Oh, oh, forget my last posting: I’ve used the wrong offset for the SECURITY-Hive within that example. SORRY.

 

Using an older SP2-dump it worked fine. Found no wrong code within the script. ;-)

But the script was not able to extract the LSA key from a SP3-dump.

 

Does anyone have a solution for that? How the LSA key may get extracted otherwise? It MUST be somewhere in the lsass-process, right?

 

TNX in advance and sorry for the wrong posting again.

 

Cu

 

Michael

 

 

Hello,

 

according a hint of Andreas (TNX!!)  I’ve tackled the problem of extracting cached domain credentials from a memory-dump. At the end of my path of epiphany I saw that Volatility already has a plugin doing that:  hashdump.py. Great.

 

While giving it a try I only got error messages like

 

Traceback (most recent call last):

  File "volatility", line 219, in <module>

    main()

  File "volatility", line 215, in main

    command.execute()

  File "memory_plugins\registry/hashdump.py", line 78, in execute

    dump_memory_hashes(addr_space, types, self.opts.syshive, self.opts.samhive, prof)

  File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 305, in dump_memory_hashes

    dump_hashes(sysaddr, samaddr, profile)

  File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 289, in dump_hashes

    bootkey = get_bootkey(sysaddr,profile)

  File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 131, in get_bootkey

    class_data = sysaddr.read(key.Class, key.ClassLength)

AttributeError: 'NoneType' object has no attribute 'Class'

 

From my point of view as a programming noob some type of type declaration is missed.

 

Or did I miss something? I have applied all the recent patches posted in this list.

 

The full console dump is attached for kindly being reviewed.

 

Cu

 

Mic