As　the　Internet　becomes　larger　in　scale,　more　complex　in　structure　and　more　diversified　in　traffic,　the　number　of　crimes　that　utilize　computer　technologies　is　also　increasing　at　a　phenomenal　rate.　To　react　to　the　increasing　number　of　computer　crimes,　the　field　of　computer　and　network　forensics　has　emerged.　The　general　purpose　of　network　forensics　is　to　find　malicious　users　or　activities　by　gathering　and　dissecting　firm　evidences　about　computer　crimes,　e.g.,　hacking.　However,　due　to　the　large　volume　of　Internet　traffic,　not　all　the　traffic　captured　and　analyzed　is　valuable　for　investigation　or　confirmation.　After　analyzing　some　existing　network　forensics　methods　to　identify　common　shortcomings,　we　propose　in　this　paper　a　new　network　forensics　method　that　uses　a　combination　of　network　vulnerability　and　network　evidence　graph.　In　our　proposed　method,　we　use　vulnerability　evidence　and　reasoning　algorithm　to　reconstruct　attack　scenarios　and　then　backt　rack　the　network　packets　to　find　the　original　evidences.　Our　proposed　method　can　reconstructattack　scenarios　effectively　and　then　identify　multi-staged　attacks　through　evidential　reasoning.　Results　of　experiments　show　that　the　evidence　graph　constructed　using　our　method　is　more　complete　and　credible　while　possessing　the　reasoning　capability.　©　2016　by　the　authors.