Which type of hypervisor is typically found loaded on a suspect machine?

Type 1 hypervisors are built to run directly on the hardware, without an underlying host operating system. That bare-metal placement makes them the typical virtualization layer you’d encounter on a suspect machine that’s been prepared to run VMs covertly. Because there’s no host OS to host a separate virtualization application, a Type 1 hypervisor can boot and operate more stealthily and persistently, which is why it’s the most likely form to be found loaded in forensic scrutiny. In contrast, a Type 2 hypervisor sits on top of an existing OS, so you’d expect to see the host OS and the virtualization software as ordinary software artifacts within that OS. The option indicating no hypervisor would be incorrect if virtualization is actually present, and KVM is a specific implementation rather than a type; the classification you’re looking for is the architecture—bare-metal, or Type 1.