Abstract: Based on the discussion of the weakness of the network forensics in current Internet system, a distributed real network forensics system is proposed and designed. This system monitors and analyzes the state of the local network. When the Internet intruder is found, on the base of the security of the local network, the system confirms whether crime has happened, and then captures and analyzes the intruding evidence information, protects the integrity of them, finally, produces the intruding crime evidence.