extracting-credentials-from-memory-dumplisted

# Extracting Credentials from Memory Dump ## When to Use - During incident response to determine what credentials an attacker had access to - When assessing the scope of credential compromise after a breach - For identifying accounts that need immediate password resets - When investigating lateral movement and pass-the-hash/pass-the-ticket attacks - For recovering encryption keys or authentication tokens from process memory ## Prerequisites - Memory dump in raw, ELF, or crash dump format - Volatility 3 with Windows symbol tables - Mimikatz (for offline analysis of extracted LSASS dumps) - pypykatz (Python implementation of Mimikatz for Linux-based analysis) - Understanding of Windows authentication (NTLM, Kerberos, DPAPI) - Appropriate legal authorization for credential extraction ## Workflow ### Step 1: Prepare Tools and Verify Memory Dump ```bash # Install analysis tools pip install volatility3 pypykatz # Verify memory dump integrity sha256sum /cases/case-2024-001/memory/memory.raw # Identify the OS version vol -f /cases/case-2024-001/memory/memory.raw windows.info # Verify LSASS process exists in memory vol -f /cases/case-2024-001/memory/memory.raw windows.pslist | grep -i lsass # Output: # PID PPID ImageFileName Offset(V) Threads Handles SessionId # 684 564 lsass.exe 0xffffe00123456 35 1234 0 ``` ### Step 2: Extract Credential Hashes with Volatility ```bash # Dump SAM database hashes from memory vol -f /cases/case-2024-00