In order to confirm network criminals, network forensics techniques have become more and more important. Current network forensic approaches are primarily static and post-mortem investigation which is time-consuming with massive network traffic, especially in cloud environments. Therefore, the automation of network forensics turns into an essential task. In this thesis, we proposed a dynamic network forensics system for cloud environments to gather evidence as soon as possible. We use the popular signature-based Intrusion Detection System (IDS), Snort, as a network forensic tool to monitor network activities. Moreover, we propose a two-phase analysis approach to automatically analyze the network data based on intrusion alerts. In brief, the objectives of our approach include collecting relevant evidence dynamically, trying to discover the attacks missed by the signature-based IDS, and reducing data storage required to keep the evidences. In the experiments with well-known data sets, the performance of our approach under different IDS configuration has also been analyzed and presented in this thesis. The experimental results show that our analysis approach has ability to automatically extract relevant evidence and save more storage space.