[Vol-dev] AW: CashDump-Issue

Michael Felber , Steufa Chemnitz, IT-Forensik MichaelFelber at gmx.net
Thu Sep 10 10:00:22 CDT 2009 

Oh, oh, forget my last posting: I've used the wrong offset for the
SECURITY-Hive within that example. SORRY.

 

Using an older SP2-dump it worked fine. Found no wrong code within the
script. ;-)

But the script was not able to extract the LSA key from a SP3-dump.

 

Does anyone have a solution for that? How the LSA key may get extracted
otherwise? It MUST be somewhere in the lsass-process, right?

 

TNX in advance and sorry for the wrong posting again.

 

Cu

 

Michael

 

Von: Michael Felber , Steufa Chemnitz, IT-Forensik
[mailto:MichaelFelber at gmx.net] 
Gesendet: Donnerstag, 10. September 2009 16:42
An: 'vol-dev at volatilesystems.com'
Betreff: CashDump-Issue

 

Hello,

 

according a hint of Andreas (TNX!!)  I've tackled the problem of extracting
cached domain credentials from a memory-dump. At the end of my path of
epiphany I saw that Volatility already has a plugin doing that:
hashdump.py. Great.

 

While giving it a try I only got error messages like

 

Traceback (most recent call last):

  File "volatility", line 219, in <module>

    main()

  File "volatility", line 215, in main

    command.execute()

  File "memory_plugins\registry/hashdump.py", line 78, in execute

    dump_memory_hashes(addr_space, types, self.opts.syshive,
self.opts.samhive, prof)

  File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line
305, in dump_memory_hashes

    dump_hashes(sysaddr, samaddr, profile)

  File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line
289, in dump_hashes

    bootkey = get_bootkey(sysaddr,profile)

  File "C:\Micha\Forensics\Volatility\forensics\win32\hashdump.py", line
131, in get_bootkey

    class_data = sysaddr.read(key.Class, key.ClassLength)

AttributeError: 'NoneType' object has no attribute 'Class'

 

>From my point of view as a programming noob some type of type declaration is
missed.

 

Or did I miss something? I have applied all the recent patches posted in
this list.

 

The full console dump is attached for kindly being reviewed.

 

Cu

 

Mic

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilesystems.com/pipermail/vol-dev/attachments/20090910/1cdf5d1c/attachment.html

More information about the Vol-dev mailing list