Dumpster Diving in Memory

I recently read an article about how information can remain active in memory even after the machine has been powered off. A group of researchers were using this information to try and break disk encryption. I also read an article at http://www.beginningtoseethelight.org/ntsecurity/ that interested me. These articles inspired me to look around and see what I can find in memory. So I started by using a tool called pmdump and HxD to view the memory space of my active processes. In the ntsecurity article they claim that a users password is stored in plain text in the memory space belonging to the lsass service. I tested this by logging in and immediately dumping the lsass memory. In also tryed this on the winlogon service and was never able to find my password in plain text. I also used dd to dump the entire physical memory of my system and was not able to find my windows password anywhere in memory. It might be so volatile that it gets erased before I dump my memory, but I have not tested this yet. Maybe I could make a script and execute it after login. I didn't have luck with the system password, but I was able to consistently find my password in memory for ***** hidden passwords for any program. All I had to do was open the HxD, view the memory space for that program, and search for the password in inicode. Many programs had common markers by the passwords. I also had good luck finding passwords post-login using the same method. However most programs write to memory so often that the passwords are quickly lost. I was especially interested in recovering post-login passwords in Firefox and IE. I found that these are usually highly volatile but can often be found by searching in ascii mode for the post variables(ie: passwd=, password=, pw=).
Because memory is so volatile you need luck on your side to find passwords in memory. But, thanks to memory paging and hibernation many items can be stored in the pagefile.sys and hiberfile.sys. Depending on the size of these file they can store information for quite some time. a good search of a systems page file and hibernation file could yield positive results.
Thanks to the ntsecurity article and the sysinternals suite I was able to make my attack remote. By issuing the following commands it is possible to dump the memory of a remote machine.

pslist \\
psexec \\ -u -p -c pmdump
move \\\$remotedir localdir

Because many organization use the same administrative account and password for multiple computers, if an attacker were able to obtain the admin password he could remotely dump the active memory of every computer he has access to. Administrators often use weak administrative passwords on all their desktop machines because they say "If someone breaks the password the worst that can happen is they screw up one machine. I will reimage it and it will be fixed. Its not like its a server." Using this memory attack a creative attacker could cause a lot of damage.