Abstract: Since the Trojan malware usually invades computing facilities secretly and eavesdrops on important information, it is very necessary to master the Trojan behavior, communication mechanisms and the way of eavesdrop, which can support the valuable intelligence clues for the network crime investigation. According to the characteristics of Trojan malware, this paper discusses the basis process of Trojan forensics investigation combing with experience of the network security department of public security organs. Meanwhile, it also introduces the common tools and methods for malware investigation. This paper describes some actual cases about the Trojan malware investigation technology involved the application in the network crime.