文档介绍:II AbstractEvidence model in puter existing do not adapt the prevailing requirements of the evidence because of lack basic needs analysis, the evidence of timing constraints, statements of cross-duplication work not clear and so on. So we have designed a practical evidence model in puter. By the model the evidence model will be divided into five stages, each stage of the evidence model workflow convergence relations. in order to ensure the orderly process Association, in each stage of the work to the stage with the evidence requirements of the evidence attribute restrictive conditions, puter forensics and evidence of legal work anic integration truly realized the purpose of puter forensics. In order to facilitate a clear understanding of puter evidence activities, we have described the practical evidence model used by the s. According to the the framework of the practical evidence model in puter, We have advanced application standards of the evidence tools and optional tools in puter firstly, provided the e immediate measures to protect the evidence. Then we made for a specific analysis to the demand of the evidence in order to identify the core content of the work with the corresponding methods of operation to ensure the effective access to the evidence phase extraction or evidence found in-depth work of the clues. We have made a thorough study to the contents of some questions, such as restoring files, IP address tracing, and advanced some solution, the contents are help for the practical evidence . Based on the requirements of the evidence analysis ,We have advanced some methods such as Correlation function of the system, relevant functions time correlation, correlation analysis of the methods, and these methods can meet the special requirements puter evidence. We have defined of the various analysis methods of application object or its scope in order to help Evidences officers destinately use of evidence analysis. In order to deepen the understan