Abstract: Combining with computer forensic technique and intrusion detection technique, a distributed dynamic computer forensics model based on multi-Agent is presented. The distributed data collection policy is adopted, and introduced the protocol of syslog to translate the related log real-time and efficiently, so that the range of data collection is extended. The dynamic intrusion detection system provides real-time evidences of high legal stringency. The evidence-combined data analysis technique is adopted to decrease the rate of false alarm and enhance the validity of the evidences.