DETAILED ACTION
	Claims 1-2, 4, 7, 10-18 and 20-32 are pending. Claims 3, 5-6, 8-9, and 19 are canceled. Claims 21-32 are new. This is in response to Applicant’s arguments filed on January 15, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Authorization
Authorization for this examiner’s amendment was given in an interview with
Douglas Mark Hamilton #47,629 on February 4, 2021.


Claim Amendments
1. (Currently Amended) A forensic analysis method performed in respect of an endpoint device connected to a computer network, the method comprising:
  collecting file system call data from the endpoint device, the file system call data corresponding to a plurality of system calls relating to file system operations arising from activity performed on the endpoint device, wherein the file system call data is collected by a software wrapper that intercepts or receives notifications about system calls made by any program running in a kernel or a user space of the endpoint device; 
collecting network communication metadata from the endpoint device, the network communication metadata being based on a plurality of system calls relating to communication operations over the computer network arising from activity performed on 
identifying second candidate data in the collected file system call data, the second candidate data corresponding to the first candidate data by 
when each file system call data comprises a time element and each network communication metadata comprises a timestamp, identifying the second -2-Appl. No. 15/990,342 Reply to Office Action of October 21, 2020 candidate data based on the time element and the timestamp being within a predetermined time of each other; and 
when each file system call data comprises a first process identifier and the network communication metadata comprises a second process identifier, 
 	analyzing the second candidate data to determine whether or not the first and second candidate data correspond to suspect activity performed on the endpoint device.  

2. (Original) The forensic analysis method according to claim 1 wherein the network communication metadata comprises process identifier, source IP/port identifier, protocol, protocol version, timestamp and number of bytes transferred.  

3. (Cancelled)  

4. (Previously Presented) The forensic analysis method according to claim 1 wherein said detecting first candidate data includes comparing at least one characteristic of the collected system call data with at least one predetermined characteristic of network communication metadata, the at least one predetermined characteristic being indicative of suspect activity being performed on the endpoint device.  

5-6. (Cancelled)  
  
7. (Previously Presented) The forensic analysis method according to claim 1 wherein said detecting first candidate data comprised in the collected network 

8-9. (Cancelled) -3-Appl. No. 15/990,342 Reply to Office Action of October 21, 2020  
  
10. (Original) The forensic analysis method according to claim 1 wherein each system call data comprises a first process name and the network communication metadata comprises a second process name and wherein the step of identifying second candidate data corresponding to the first candidate data comprises identifying the second candidate data in dependence on the first and second process names are the same.  

11. (Previously Amended) The forensic analysis method according to claim 1 wherein the second candidate data is identified in the collected file system call data and said analyzing  the second candidate data comprises: comparing at least one characteristic of the second candidate data with at least one predetermined characteristic of file system call data, the at least one predetermined characteristic of file system call data being indicative of suspect activity being performed on the endpoint 

12. (Original) The forensic analysis method according to claim 11 wherein the at least one characteristic comprises at least one file command comprised in the file system call data.  

13. (Original) The forensic analysis method according to claim 12 wherein the at least one file command comprises at least one of: file create; file read; file write; file delete; file rename; and file move.  

14. (Previously Amended) The forensic analysis method according to claim 1 further comprising identifying an event based on said analyzing  the second candidate system call data, the event being one of a file upload event and a file download event.  

15. (Original) The forensic analysis method according to claim 14 wherein identifying the event comprises recording data pertaining to the event, the data pertaining to the event comprising at least one of: date and time; machine identifier; username; application identifier; activity identifier; and resource identifier.  

16. (Original) The forensic analysis method according to claim 14 further comprising retrieving at least one file that is the object of the identified event, the at 

17. (Previously Presented) The forensic analysis method according to claim 1 further comprising storing each of the collected file system call data and the collected network communication metadata in the endpoint device by way of at least one of: for a predetermined period; and in data storage of predetermined size.  

18. (Previously Presented) The forensic analysis method according to claim 1 wherein at least one of the file system call data and the network communication metadata is collected at an interface between the kernel and the user space.  

19. (Cancelled) -5-Appl. No. 15/990,342 Reply to Office Action of October 21, 2020  

20. (Previously Amended) A non-transitory medium that stores executable program instructions for causing an endpoint device to perform a method comprising: 
collecting file system call data from the endpoint device, the file system call data corresponding to a plurality of system calls relating to file system operations arising from activity performed on the endpoint device, wherein the file system call data is collected by a software wrapper that intercepts or receives notifications about system calls made by any program running in a kernel or a user space of the endpoint device; 
collecting network communication metadata from the endpoint device, the network communication metadata being based on a plurality of system calls relating to 
detecting first candidate data comprised in the collected network communication metadata by determining a number of communication system calls to a particular network node in the computer network within a predetermined time window and determining whether the number of communication system calls to the particular network node is greater than a predetermined number; 
identifying second candidate data in the collected file system call data, the second candidate data corresponding to the first candidate data by: 
when each file system call data comprises a time element and each network communication metadata comprises a timestamp, identifying the second candidate data based on the time element and the timestamp being within a predetermined time of each other; and 
when each file system call data comprises a first process identifier and the network communication metadata comprises a second process identifier, 
analyzing  the second candidate data to determine whether or not the first and second candidate data correspond to suspect activity performed on the endpoint device.  

21. (Previously Presented) The non-transitory medium of claim 20, wherein the network communication metadata comprises process identifier, source IP/port identifier, protocol, protocol version, timestamp and number of bytes transferred. 
 
22. (Previously Presented) The non-transitory medium of claim 20, wherein said detecting first candidate data includes comparing at least one characteristic of the collected system call data with at least one predetermined characteristic of network communication metadata, the at least one predetermined characteristic being indicative of suspect activity being performed on the endpoint device.  

23. (Previously Presented) The non-transitory medium of claim 20, wherein said detecting first candidate data comprised in the collected network communication metadata depends on an amount of data involved in at least one communication system call.  

24. (Previously Presented) The non-transitory medium of claim 20, wherein each system call data comprises a first process name and the network communication 

25. (Previously Amended) The non-transitory medium of claim 20, wherein the second candidate data is identified in the collected file system call data and said analyzing  the second candidate data comprises: comparing at least one characteristic of the second candidate data with at least one predetermined characteristic of file system call data, the at least one predetermined characteristic of file system call data being indicative of suspect activity being performed on the endpoint device; and 
 
26. (Previously Presented) The non-transitory medium of claim 25, wherein the at least one characteristic comprises at least one file command comprised in the file system call data.  

27. (Previously Presented) The non-transitory medium of claim 26, wherein the at least one file command comprises at least one of: file create; file read; file write; file delete; file rename; and file move.  

28. (Currently Amended) The non-transitory medium of claim 20, wherein the method further comprises identifying an event based on said analyzing  the second candidate system call data, the event being one of a file upload event and a file download event.  

29. (Previously Presented) The non-transitory medium of claim 28, wherein identifying the event comprises recording data pertaining to the event, the data pertaining to the event comprising at least one of: date and time; machine identifier; username; application identifier; activity identifier; and resource identifier.  

30. (Previously Presented) The non-transitory medium of claim 28, wherein the method further comprises retrieving at least one file that is the object of the 

31. (Previously Presented) The non-transitory medium of claim 20, wherein the method further comprises storing each of the collected file system call data and the collected network communication metadata in the endpoint device by way of at least one of: for a predetermined period; and in data storage of predetermined size.  

32. (Previously Presented) The non-transitory medium of claim 20, wherein at least one of the file system call data and the network communication metadata is collected at an interface between the kernel and the user space.
Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
After further search and consideration, Examiner concedes there is no art singly or in combination teaches all features as amended in claim 1. Therefore claims 1 and 20 are allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
 				Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRI M TRAN/Primary Examiner, Art Unit 2494