Windows Credentials and Memory Dumps – Part 4: Volatility & Mimikatz

For this test I installed everything in a WinXP VM. I followed these instructions:
… with only small changes, because I had a win32 machine.
First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?).
Here are the steps for installing volatility with the plugin:
Download & install Python 2.7.x from
Download & install Volatility 2.4 module installer
Download & install Microsoft Visual C++ Compiler for Python 2.7
(Don’t know if that was really neccessary)
C:\Python27\Scripts>python.exe -m pip install distorm3
C:\Python27\Scripts>python.exe -m pip install Pycrypto
C:\Python27\Scripts>python.exe -m pip install yara
C:\Python27\Scripts>python.exe -m pip install construct
I downloaded the mimikatz plugin for volatility from:
and stored it in c:\volatility-plugins.
C:\>python.exe “c:\Python27\Scripts\” –plugins=”c:\volatility-plugins” –info | findstr /i mimi
Volatility Foundation Volatility Framework 2.4
linux_slabinfo             – Mimics /proc/slabinfo on a running machine
mimikatz                   – mimikatz offline
Then copy the test.elf image from part 1 to the vm.
Now it is possible to fetch the credentials in clear text:
C:\>python “c:\python27\scripts\” –plugins=”c:\volatility-plugins” -f “z:
\DAXAMD-20160124-111555.raw”  –profile=Win7SP0x64 mimikatz
Volatility Foundation Volatility Framework 2.4
Module   User             Domain           Password
——– —————- —————- —————————————-
wdigest  __vmware_user__  daxamd           XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wdigest  dax              daxamd           XXXXXXXXXXXXXXXXXX
wdigest  DAXAMD$          WORKGROUP