Abstract: With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important. Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in realtime performance,whcrcas these methods arc defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation. A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack, observe and analyze the attack activities further more to gather key evidences. And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot, state transition opportunity and evidence security storage method were described. The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control. Moreover, the amount of unnecessary evidences can be reduced obviously.

Key words: Dynamic forensics, Shadow honeypot, Self-adaptive, Finite state machine