The invention discloses a physical memory forensic method for a KVM (Kernel-based Virtual Machine). The method comprises the steps as follows: a), acquiring the physical memory of a host machine; d) detecting VMCS (Virtual-Machine Control Structure) version number of the KVM (Kernel-based Virtual Machine); e), detecting a VMX (Virtual Machine Extensions) exit reason indicator; f), detecting and acquiring a CR3 register of the host machine; g), detecting and acquiring a CR3 register of the virtual machine; h), judging two 0xffffffffs in succession; i), detecting and acquiring extended pages; j), judging the correctness of the Host_CR3 register; k), judging the correctness of the Guest_CR3 register; l), judging whether the detection is completed or not; m), acquiring the physical memory of the virtual machine; n), analyzing the physical memory of the virtual machine. According to the physical memory forensic method for the KVM, that whether a potential VMCS structure body exists in the pages or not is firstly judged, and then the correctness of the VMCS structure body is judged, so that the physical memory of the virtual machine is acquired, no influence is exerted on the status of the virtual machine with the adoption of the method, and besides, the method is suitable for investigation and evidence collection of various security incidents and all kinds of computer crimes.