In recent years, with the development of Internet technology, people's life has been more convenient with the help of the Internet. But it has also given rise to a new form of crime, Internet crimes. Computer forensics is thus born to deal with new kinds of crimes. In this study, the improved K-means clustering algorithm was adopted to obtain computer real-time evidence of network intrusion crimes. The detection performance of the improved algorithm for the four types of characteristic data was analyzed by MATLAB. Moreover, the detection performance of traditional clustering algorithm under different intrusion attack modes was compared. The results demonstrated that the improved algorithm is more suitable for detecting the first kind of characteristic data; and compared with the traditional clustering algorithm, under the three flood attack modes of User Datagram Protocol (UDP), Internet Control Messages Protocol (ICMP) and Transmission Control Protocol (TCP), the improved algorithm is better and has faster speed of data processing. In conclusion, the improved K-means clustering algorithm can be applied to the computer real-time location and forensics of network intrusion crimes.