I was asked by someone else how Windows systems in a domain cache passwords so that people can login even when the box can’t contact the domain controller. I found a site by a guy named Arnaud Pilon about how it works and he also provides tools for grabbing the password hashes out of the LSASS cache and cracking them using John the Ripper. Interesting stuff. Here is the URL:

http://www.cr0.net:8040/misc/cachedump.html