A network forensics research method is proposed, which includes alert standardization, alert redundancy reduction, scenario reconstruction and alert aggregation. The interference of failed attacks to the forensics process is reduced by removing the failed alert. In the process of scenario reconstruction, with the method of inversely association, the unnecessary evidence can be removed. Moreover, isolated alerts are supplemented to ensure the integrity of evidence chain. In the process of alert aggregation, the method of merging different detailed alerts of the same step is proposed. The intrusion scenarios at the abstract layer and the specific layer are reconstructed respectively. Finally, experiments verify the effectiveness of the proposed method.