Hello, according a hint of Andreas (TNX!!) I've tackled the problem of extracting cached domain credentials from a memory-dump. At the end of my path of epiphany I saw that Volatility already has a plugin doing that: hashdump.py. Great. While giving it a try I only got error messages like Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 215, in main command.execute() File "memory_plugins\registry/hashdump.py", line 78, in execute dump_memory_hashes(addr_space, types, self.opts.syshive, self.opts.samhive, prof) File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 305, in dump_memory_hashes dump_hashes(sysaddr, samaddr, profile) File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 289, in dump_hashes bootkey = get_bootkey(sysaddr,profile) File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line 131, in get_bootkey class_data = sysaddr.read(key.Class, key.ClassLength) AttributeError: 'NoneType' object has no attribute 'Class' missed. Or did I miss something? I have applied all the recent patches posted in this list. The full console dump is attached for kindly being reviewed. Cu Mic