Greetings,
Throwing this out to the informed masses... What is the best way to recover passwords, logins, etc from machines where these items are not saved to the computer like the registry - but merely typed in and the person "hits enter.". I am guessing they are in RAM, but things like dd_img does not capture them (using a windows forensics toolkit approach). Based on the scenario, keyloggers are not an option because the deed is done by the time I find out about it - but I do have access to any machine immediately after the events (corporate environment). Much appreciated...