A　system,　DFR2　(on-demand　forensic　technology　support　for　rollback　recovery),　is　developed　to　obtain　on　demand　real-time　evidence　from　crimes　to　support　rollback　recovery.　The　Linux　based　system　for　obtaining　evidence　uses　different　methods　and　objects　which　are　logically　based　on　their　different　environments　to　narrow　down　the　range　of　treatments,　to　shorten　the　investigations　and　evidence　acquisition,　and　to　improve　the　effectiveness　of　the　evidence.　The　system　also　supports　rollback　recovery　of　the　file　system　data　to　minimize　intrusion　losses.　Compared　with　existing　method　Snare,　the　results　have　improved　function　and　performance　with　reducing　5%　cost　during　robbing　process.