Here is a great set of articles about Windows passwords schemes by
Syskey and the Sam:
Decrypting LSA Secrets:
Cached Domain Credentials:
Besides the articles, Brendan create a set of tools to use with Volativility that will allow to extract those password from a memory dump:
- hashdump: dump the LanMan and NT hashes from the registry (deobfuscated).
- lsadump: dump the LSA secrets (decrypted) from the registry.
- cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain.