DETAILED ACTION
This action is in response to new application filed 7/31/2018 titled “Cloud Forensics and Incident Response Platform”. Claims 1-21 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/22/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 5-12, 15-17, 20 and 21 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Cochran (US 2016/0034295).

intercepting, by a cloud incident response module (CIRM), communication between a virtual machine (VM) and a hypervisor (see figure 3 step 360-370 and paragraph 0109-0110 i.e. At 370, the computer system can acquire forensics data from one or more targeted virtual machines. The forensics data can include one or more of: filesystem artifacts, network artifacts, memory artifacts, and event log artifacts. The forensics data can be received and/or exposed via one or more inter-partition communication mechanisms); and 
extracting, by the CIRM, data from the communication between the VM and the hypervisor according to a forensic policy (see Cochran figure 3 step 380 and paragraph 0111 i.e. At 380, the computer system can output acquired forensics data. The acquired forensics data can be output or presented as one or more interactive user interfaces, web documents, and/or web pages, as a viewable electronic document, and/or as a printed document. When provided in an interactive format, the output can include functionality for navigating to portions that correspond to different hosted virtual machines and different forensics artifacts for each hosted virtual machine. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides functionality for searching, filtering, and/or sorting the forensics data based on a single criterion or combination of criteria), 

wherein the intercepting and the extracting are performed without knowledge of an operating environment of the VM and of the hypervisor (see Cochran paragraph 0060 i.e. Forensics service API 163 can be exposed to forensics tool 170 and can include functionality for requesting, receiving, and/or exposing forensics data from running hypervisor-hosted VMs using various inter-partition communication mechanisms. For instance, forensics service API 163 can include functionality for requesting, receiving, and/or exposing forensics data from running enlightened VMs via VMBus 162. Calls can be routed from forensics root VM partition 160 to targeted enlightened VMs via the VMBus 162, 142. Forensics data from VMs can be received over and/or exposed by VMBus 162). 

With respect to claim 5 Cochran teaches the method of claim 1, wherein the data comprises textual data and further comprising: correlating the textual data against other data in a security information and event management (SIEM) system (see Cochran figure 3 step 380 and paragraph 0111 i.e. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides functionality for 

With respect to claim 6 Cochran teaches the method of claim 1, wherein the intercepting and extracting are performed without interruption of the VM and the hypervisor (see Cochran figure 3 step 380 and paragraph 0111 i.e. At 380, the computer system can output acquired forensics data. The acquired forensics data can be output or presented as one or more interactive user interfaces, web documents, and/or web pages, as a viewable electronic document, and/or as a printed document. When provided in an interactive format, the output can include functionality for navigating to portions that correspond to different hosted virtual machines and different forensics artifacts for each hosted virtual machine. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides functionality for searching, filtering, and/or sorting the forensics data based on a single criterion or combination of criteria). 

With respect to claim 7 Cochran teaches the method of claim 1, further comprising: detecting an operating system of the VM (see Cochran paragraph 0071 i.e. Host/VM memory analysis provides an investigator with the ability to acquire and analyze information about the operating system and running processes. This capability can involve acquiring memory data for analysis by forensics tool 170 or direct analysis via exposure of forensics interface 163 to forensics tool 170. Non-limiting examples of 

With respect to claim 8 Cochran teaches the method of claim 1, wherein the forensic policy comprises at least one of an identifying a guest for which data is to be extracted, identifying a type of data to be extracted, and identifying a time frame within which data is to be extracted (see Cochran paragraph 0062 i.e. Forensics service API 163 can include functionality for requesting, receiving, and/or exposing forensics data from running enlightened VMs (e.g., child VM partition 140) using VSCs and/or integration services. Enlightened partitions provide an I/O and hypervisor-aware kernel via the installation of integration services, which can include one or more VSCs that utilize the VMBus. As such, forensics service API 173 can request, receive, and/or expose forensics data from enlightened VMs using VSCs and/or integration services. Forensics service API 163 can request, receive, and/or expose forensics data by communicating with running VMs using WMI calls). 

With respect to claim 9 Cochran teaches the method of claim 1, further comprising: locating, by the CIRM, hypervisor in kernel-space memory; and redirecting exit handling of the VM from the hypervisor to a CIRM exit handler (see Cochran paragraph 0076 i.e. Forensics child VM partition 180 can include a HCIF 181 for 

With respect to claim 10 Cochran teaches the method of claim 1, wherein the CIRM is loadable and unloadable without VM or hypervisor interruption (see Cochran paragraph 0053 i.e. Forensics root VM partition 160 can be created and/or launched by hypervisor 110. Forensics root VM partition 160 can implement a forensics root VM as a dedicated VM for forensics acquisition and analysis with nominal impact to hypervisor 110 or root VM partition 130). 

With respect to claim 11 Cochran teaches the method of claim 1, wherein an output from the CIRM is unified across a plurality of hypervisors and a plurality of VMs (see Cochran figure 1 and paragraph 0110 i.e. At 370, the computer system can acquire forensics data from one or more targeted virtual machines. The forensics data can include one or more of: filesystem artifacts, network artifacts, memory artifacts, and event log artifacts. The forensics data can be received and/or exposed via one or more inter-partition communication mechanisms supported by hypervisor-hosted virtualization environment 120). 

With respect to claim 12 Cochran teaches a computer system for performing cloud forensics and incident response, the computer system comprising: a bus system; a storage device connected to the bus system, wherein the storage device stores program instructions; and a processor connected to the bus system, wherein the processor executes the program instructions to: 
intercept communication between a virtual machine (VM) and a hypervisor (see figure 3 step 360-370 and paragraph 0109-0110 i.e. At 370, the computer system can acquire forensics data from one or more targeted virtual machines. The forensics data can include one or more of: filesystem artifacts, network artifacts, memory artifacts, and event log artifacts. The forensics data can be received and/or exposed via one or more inter-partition communication mechanisms); and 
extract data from the communication between the VM and the hypervisor according to a forensic policy (see Cochran figure 3 step 380 and paragraph 0111 i.e. At 380, the computer system can output acquired forensics data. The acquired forensics data can be output or presented as one or more interactive user interfaces, web documents, and/or web pages, as a viewable electronic document, and/or as a printed document. When provided in an interactive format, the output can include functionality for navigating to portions that correspond to different hosted virtual machines and different forensics artifacts for each hosted virtual machine. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides 
wherein intercepting and the extracting are transparent to the VM and to the hypervisor (see Cochran paragraph 0057 i.e. Forensics root VM partition 160 can implement a privileged VM that is permitted access to hosted VMs via VMBus 162 and hypercalls API 111 directly. Forensics root VM partition 160 is capable of sending and receiving messages and/or events that are routed through hypervisor 110 to a destination partition), and 
wherein the intercepting and the extracting are performed without knowledge of an operating environment of the VM and of the hypervisor (see Cochran paragraph 0060 i.e. Forensics service API 163 can be exposed to forensics tool 170 and can include functionality for requesting, receiving, and/or exposing forensics data from running hypervisor-hosted VMs using various inter-partition communication mechanisms. For instance, forensics service API 163 can include functionality for requesting, receiving, and/or exposing forensics data from running enlightened VMs via VMBus 162. Calls can be routed from forensics root VM partition 160 to targeted enlightened VMs via the VMBus 162, 142. Forensics data from VMs can be received over and/or exposed by VMBus 162). 

With respect to claim 15 Cochran teaches the computer system of claim 12, wherein the data comprises textual data and wherein the processor further executes the program instructions to: correlate the textual data against other data in a security information and event management (SIEM) system (see Cochran figure 3 step 380 and 

With respect to claim 16 Cochran teaches the computer system of claim 12, wherein the instructions to intercept and the instructions to extract are performed without interruption of the VM and the hypervisor (see Cochran figure 3 step 380 and paragraph 0111 i.e. At 380, the computer system can output acquired forensics data. The acquired forensics data can be output or presented as one or more interactive user interfaces, web documents, and/or web pages, as a viewable electronic document, and/or as a printed document. When provided in an interactive format, the output can include functionality for navigating to portions that correspond to different hosted virtual machines and different forensics artifacts for each hosted virtual machine. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides functionality for searching, filtering, and/or sorting the forensics data based on a single criterion or combination of criteria). 

With respect to claim 17 Cochran teaches a computer program product for performing cloud forensics and incident response, the computer program product comprising a computer readable storage medium having program instructions embodied 
intercepting communication between a virtual machine (VM) and a hypervisor (see figure 3 step 360-370 and paragraph 0109-0110 i.e. At 370, the computer system can acquire forensics data from one or more targeted virtual machines. The forensics data can include one or more of: filesystem artifacts, network artifacts, memory artifacts, and event log artifacts. The forensics data can be received and/or exposed via one or more inter-partition communication mechanisms); and 
extracting data from the communication between the VM and the hypervisor according to a forensic policy (see Cochran figure 3 step 380 and paragraph 0111 i.e. At 380, the computer system can output acquired forensics data. The acquired forensics data can be output or presented as one or more interactive user interfaces, web documents, and/or web pages, as a viewable electronic document, and/or as a printed document. When provided in an interactive format, the output can include functionality for navigating to portions that correspond to different hosted virtual machines and different forensics artifacts for each hosted virtual machine. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides functionality for searching, filtering, and/or sorting the forensics data based on a single criterion or combination of criteria), 
wherein intercepting and the extracting are transparent to the VM and to the hypervisor (see Cochran paragraph 0057 i.e. Forensics root VM partition 160 can implement a privileged VM that is permitted access to hosted VMs via VMBus 162 and 
wherein the intercepting and the extracting are performed without knowledge of an operating environment of the VM and of the hypervisor (see Cochran paragraph 0060 i.e. Forensics service API 163 can be exposed to forensics tool 170 and can include functionality for requesting, receiving, and/or exposing forensics data from running hypervisor-hosted VMs using various inter-partition communication mechanisms. For instance, forensics service API 163 can include functionality for requesting, receiving, and/or exposing forensics data from running enlightened VMs via VMBus 162. Calls can be routed from forensics root VM partition 160 to targeted enlightened VMs via the VMBus 162, 142. Forensics data from VMs can be received over and/or exposed by VMBus 162). 

With respect to claim 20 Cochran teaches the computer program product of claim 17, wherein the data comprises textual data and wherein the method further comprises: correlating the textual data against other data in a security information and event management (SIEM) system (see Cochran figure 3 step 380 and paragraph 0111 i.e. The output can include or link to forensic analysis information pertaining to hosted virtual machines or forensic artifacts. Acquired forensics data can be presented in a user interface that provides functionality for searching, filtering, and/or sorting the forensics data based on a single criterion or combination of criteria). 

.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Cochran (US 2016/0034295) in view of Patrascu et al. “Logging Framework for Cloud Computing Forensic Environments”.

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cochran in view of Patrascu to been able to analyze, order, process and aggregate the raw data so that the inventigators have the full picture of what happened over the monitored remote virtual machine in a manner permitting him to navigate back and forth into the history of the virtual machine.   
Therefore one would have been motivated to have modify Cochran in view of Patrascu to have been able to analyzing the binary data to extract forensic information.

	
With respect to claim 14 Cochran teaches the computer system of claim 12, but does not disclose wherein the processor further executes the program instructions to: reconstruct binary data from the extracted data; and analyze the binary data to extract 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cochran in view of Patrascu to been able to analyze, order, process and aggregate the raw data so that the inventigators have the full picture of what happened over the monitored remote virtual machine in a manner permitting him to navigate back and forth into the history of the virtual machine.   
Therefore one would have been motivated to have modify Cochran in view of Patrascu to have been able to analyzing the binary data to extract forensic information.

With respect to claim 19 Cochran teaches the computer program product of claim 17, but does not disclose wherein the method further comprises: reconstructing binary data from the extracted data; and analyzing the binary data to extract forensic information. Patrascu teaches the method further comprises: reconstructing binary data from the extracted data; and analyzing the binary data to extract forensic information 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cochran in view of Patrascu to been able to analyze, order, process and aggregate the raw data so that the inventigators have the full picture of what happened over the monitored remote virtual machine in a manner permitting him to navigate back and forth into the history of the virtual machine.   
Therefore one would have been motivated to have modify Cochran in view of Patrascu to have been able to analyzing the binary data to extract forensic information.

Allowable Subject Matter
Claims 2-3, 13 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The prior art does not teach with respect to claim 2, the method of claim 1, wherein the VM comprises a first VM, wherein the hypervisor comprises a first hypervisor, wherein the communication comprises a first communication, and wherein 
The prior art does not teach with respect to claim 13, the computer system of claim 12, wherein the VM comprises a first VM, wherein the hypervisor comprises a first hypervisor, wherein the communication comprises a first communication, wherein the data comprises a first data, and wherein the processor further executes the program instructions to: intercept second communication between a second VM and a second hypervisor; and extract second data from the second communication between the second VM and the second hypervisor. 

The prior art does not teach with respect to claim 18, the computer program product of claim 17, wherein the VM comprises a first VM, wherein the hypervisor comprises a first hypervisor, wherein the communication comprises a first communication, wherein the data comprises a first data, and wherein the method further comprises: intercepting second communication between a second VM and a second hypervisor; and extracting second data from the second communication between the second VM and the second hypervisor. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492