A computer system acquires forensics data from running virtual machines in a hypervisor-hosted virtualization environment. The computer system provides a forensics partition as an additional root virtual machine partition or child virtual machine partition. The forensics partition includes a forensics service application programming interface configured to target one or more virtual machines and acquire forensics data from a targeted virtual machine running in a particular child virtual machine partition. The forensics service application programming interface is configured to communicate via one or more inter-partition communication mechanisms such as an inter-partition communication bus, a hypercall interface, or forensics switch implemented by the hypervisor-hosted virtualization environment. The forensics service application programming interface can be exposed to a forensics tool as part of a cloud-based forensics service.