After the RAM Capture
After automating RAM capture, we began analyzing the RAM for our "pot of gold", which is the encryption key. We tried using many different tools, including industry-standards such as Forensic Toolkit (FTK), EnCase, & Autopsy, but they all had many issues. So we turned to Volatility, a Kali Linux tool used for analyzing RAM. After countless failures, we managed to get it to read the current Windows 10 build, and we found the password hashes in the SAM hive, which could be cracked using other Kali Linux tools and unlock the workstation.