Via this post in thehackernews.com.

This video explains how to use Volatility to extract the NTLM password hashes from a memory dump, by  finding the memory addresses that belong to the \WiNDOWS\system32\config\SAM and  and \WiNDOWS\system32\config\system