Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8221 (Initial Public Draft)

A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks

Date Published: September 2018
Comments Due: October 12, 2018 (public comment period is CLOSED)
Email Questions to:


Ramaswamy Chandramouli (NIST), Anoop Singhal (NIST), Duminda Wijesekera (NIST), Changwei Liu (NIST)


Hardware/Server Virtualization is now an integral feature of the infrastructure of data centers used for cloud computing services as well as for enterprise computing. One of the key strategies for vulnerability management of the core software that provides virtualization (i.e., hypervisor) is devising a methodology for determining forensic data requirements for detecting attacks on this software.  This document outlines one such methodology by developing a profile of vulnerabilities in terms of hypervisor functionality (attack vectors), attack type and attack source, performing attacks using predominant vulnerabilities and identifying the available and missing data for reconstructing the attack execution path.



cloud computing; forensic analysis; hypervisors; KVM; vulnerabilities; Xen
Control Families

None selected


Draft NISTIR 8221 (pdf)

Supplemental Material:
None available

Document History:
09/21/18: IR 8221 (Draft)
06/05/19: IR 8221 (Final)


Security and Privacy

vulnerability management


cloud & virtualization