How can volatility be used to extract local user hashes and LSA secrets from a snapshot's .vmem file?

First, identify the correct memory profile using `imageinfo` (e.g., `Win2016x64_14393`). Then run the `hashdump` plugin to extract local user password hashes from the SAM registry hive: `volatility -f <file> --profile=<profile> hashdump`. For LSA secrets (including cached domain credentials and service account passwords), use the `lsadump` plugin. These commands parse the registry hives present in the memory dump. The extracted hashes can be used for pass-the-hash or offline cracking, enabling lateral movement. This process is a core part of the lateral movement chain described in the original article.