In this paper, a kind of security operating system with the mechanism of real-time forensics (called SeFOS) is presented, the general architecture of SeFOS is described, the model of its forensics behaviors is analyzed with some formal method descriptions, and the method of completely collecting and safely storing for the digital evidences is presented. The forensics model of SeFOS is inside the kernel and the evidences are obtainted from system processes, system calls, resources assigning inside the kernel and network data. Finally, a simulated experiment is designed to validate the efficiency of SeFOS.