Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data



Ramaswamy Chandramouli, Anoop Singhal, Duminda Wijesekera, Changwei Liu


Hardware/Server Virtualization is a key feature of data centers used for cloud computing services and enterprise computing that enables ubiquitous access to shared system resources. Server virtualization is typically performed by a hypervisor, which provides mechanisms to abstract hardware and system resources from an operating system. Hypervisors are large pieces of software with several thousand lines of code and are therefore known to have vulnerabilities. This document analyzes the recent vulnerabilities associated with two open- source hypervisors - Xen and KVM - as reported by the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD), and develops a profile of those vulnerabilities in terms of hypervisor functionality, attack type, and attack source. Based on the predominant number of vulnerabilities in a hypervisor functionality (attack vector), two sample attacks using those attack vectors were launched to exploit those vulnerabilities, and the associated system calls were logged. The objective was to determine the evidence coverage for detecting and reconstructing those attacks and identify techniques required to gather missing evidence.
NIST Interagency/Internal Report (NISTIR) - 8221
Report Number


cloud computing, forensic analysis, hypervisors, KVM, vulnerabilities, Xen


Chandramouli, R. , Singhal, A. , Wijesekera, D. and Liu, C. (2019), A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 14, 2024)
Created June 4, 2019, Updated June 12, 2019