Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s amendment filed on 10 May 2021. The Examiner performed compact prosecution and proposed suggestions to the Applicant by incorporating the subject matter recited in dependent claim 5 into all independent claims to overcome the prior art of record and file an electronic Terminal Disclaimer to overcome the previous Double Patenting rejection. After conducting an interview, the proposal was accepted and authorization was given for an Examiner’s Amendment on 11 May 2021 and the electronic terminal disclaimer was approved on 12 May 2021. 
4.	After the Examiner’s amendment was performed, claim 5 has been canceled. Claims 1, 19, and 20 have been amended. Claims 1-4 and 6-20 remain pending. 

Terminal Disclaimer
5.	The terminal disclaimer filed on 12 May 2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of prior patent numbers 10,354,066 and 10,354,067 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Information Disclosure Statement
6.	The Information Disclosure Statement respectfully submitted on 12 May 2021 has been considered by the Examiner.

Response to Arguments
7.	In response to Applicant’s arguments, as disclosed in the remarks, filed
on 12 April 2021, with respect to the prior art not expressly disclosing cryptographically linking data containers wherein the use of data containers in which harvested data is stored and the use of a tamper resistant feature on the data containers have been fully considered and are persuasive in view of applicant's arguments, see for example pages 9-10. Therefore, the 35 U.S.C. 103 rejection in view of Janssen, Barrell et al., and Egorov et al. for claims 1-20 has been withdrawn and the previous Double Patenting rejection has been withdrawn, in addition to incorporating the features disclosed in dependent claim 5 into all independent claims and filing the electronic Terminal Disclaimer placed the application in better condition for an allowance.

EXAMINER’S AMENDMENT
8.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Attorney Carl A. Kukkonen, III, Reg. No. 42,773 on 11 May 2021.The application has been amended as follows: 
Please amend the following claims:
Claim 1.  (Currently Amended)  A method comprising: 
	harvesting, by an endpoint computer system, data relating to a plurality of events occurring within and characterizing a history of an operating environment of the endpoint computer system, the harvesting comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system; and
	adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of cryptographically linked data containers, each data container in the series except for a current data container comprising a tamper resistant feature, currently generated forensic data being stored in the current data container of the series of data containers while preceding data containers in the series are closed to further write operations;
	wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.

	Claim 2.  (Original)  A method as in claim 1 further comprising: 


	Claim 3.  (Original)  A method as in claim 2, wherein the artifact comprises a digital item of interest comprising one or more of a file, a programs, and a system characteristic.

	Claim 4.  (Original)  A method as in claim 1, further comprising detecting that the audit log has been compromised based on a change in the tamper resistant feature.

	Claim 5.  (Canceled).

	Claim 6.  (Original)  A method as in claim 1, wherein the tamper resistant feature comprises data compression and signing with a public key and/or enciphering of a combination of the data container plus a signature comprising the public key.

	Claim 7.  (Original)  A method as in claim 1 further comprising: taking an action based on the detecting that the audit log has been compromised.

	Claim 8.  (Original)  A method as in claim 7, wherein the action comprises one or more of:

	protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache.

	Claim 9.  (Original)  A method as in claim 1, wherein the audit log and the local cache are both stored on the endpoint computer.

	Claim 10.  (Original)  A method as in claim 1, wherein each data container of the series of data containers in the audit log is encrypted and wherein the forensic data are written to the current data container in an append-only manner.

	Claim 11.  (Original)  A method as in claim 1, wherein the harvesting further comprises receiving and/or inferring at least some of the data using additional data generated external to the endpoint computer system.

	Claim 12.  (Original)  A method as in claim 1, wherein the adding of the data to the local data store further comprises determining, based on one or more criteria, to retain in the local data store a first subset of the data as more likely to be relevant and to exclude from the local data store and a second subset of the data as more likely to be irrelevant.



	Claim 14.  (Original)  A method as in claim 1, wherein the responsive data comprises one or more of one or more times that a particular file was accessed on the endpoint computer system, how the particular file was used on the endpoint computer system, when the particular file was first detected on the endpoint computer system, location of a registry persistence point, and use of a registry by a software routine to allow itself to persist after a reboot of the endpoint computing system.

	Claim 15.  (Original)  A method as in claim 1, wherein the generating the response comprises mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the responsive data that are most likely to be relevant to a subject of the query.

	Claim 16.  (Original)  A method as in claim 1, wherein the one or more sensors comprises at least one of a kernel mode collector, a removable media sensor, a sensor that collects data about a current state of a computing environment executing on the endpoint computer, a malware detection and/or interdiction process, a user authentication process, and a user authentication re-verification process.

	harvesting the data according to a first set of data collection criteria;
	determining, via a machine-learning based threat detection module, that a heightened level of alert is necessary; and
	in response to the a heightened level of alert, harvesting the data according to a second set of data collection criteria that are broader than the first set of data collection criteria causing a greater amount of data to be harvested;
	wherein the machine learning component performs at least one operation selected from determining that the heightened level of alert is necessary, blocking or terminating execution of a process or thread, and determining that the alert level can be lowered back to the first set of data collection criteria.

	Claim 18.  (Original)  A method as in claim 17, wherein the machine learning component accomplishes the at least one operation by processing data already in the local data store to determine that a potentially undesirable event has occurred and/or by processing the harvested data as it is received to determine that a potentially undesirable event is currently occurring.

	Claim 19.  (Currently Amended)  A system comprising: 
	at least one data processor; and
	memory storing instructions which, when executed by the at least one data processor, result in operations comprising:

		adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of cryptographically linked encrypted data containers, each encrypted data container in the series except for a current data container comprising a tamper resistant feature, currently generated forensic data being encrypted and stored in the current data container of the series of encrypted data containers while preceding data containers in the series are closed to further write operations;
	wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.

	Claim 20.  (Currently Amended)  A non-transitory computer program product storing instructions which, when executed by at least one computing device, result in operations comprising:
              harvesting, by an endpoint computer system, data relating to a plurality of events occurring within and characterizing a history of an operating environment of the 
              adding the data to a local data store maintained on the endpoint computer system, the local data store comprising an audit log, the audit log comprising a series of data containers, each encrypted data container in the series except for a current data container comprising a tamper resistant feature, currently generated forensic data being encrypted and stored in the current data container of the series of encrypted data containers while preceding data containers in the series are closed to further write operations;
	wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.

Allowable Subject Matter
9.	Claims 1-4 and 6-20 are allowed.
10.	The following is an examiner’s statement of reasons for allowance: The present invention is directed towards a method and system for retaining and providing accessibility to data characterizing events occurring in a computing environment on an endpoint computer. Claims 1, 19, and 20 identifies the uniquely distinct features “wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log”.
The closest prior art, Janssen (Pub No. 2016/0127417) discloses systems, devices, and computing-implemented methods for initiating a secure network communication system using a response to a risk assessment template and one or more computer knowledge bases to determine a network security policy, network security controls, hardware and software devices, and commands for the hardware and software devices. Embodiments also relate to systems, devices, and computing-implemented methods for monitoring the secure network communication system by monitoring communications from user devices, determining to hold communications based on the network security policy, notifying users of held communications, and allowing the users, via their user devices, to adjust the network security policy for overridable controls to authorize held communications. 
However, Janssen fail to anticipate or render obvious the claimed limitations of wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.

However, Barrell et al. fail to anticipate or render obvious the claimed limitations of wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.
The closest prior art, Egorov et al. (Pub No. 2016/0330180) discloses a process of operating a zero-knowledge encrypted database, the process including: obtaining a request for data in a database stored by an untrusted computing system, wherein the database is stored in a graph that includes a plurality of connected nodes, each of the 
However, Egorov et al. fail to anticipate or render obvious the claimed limitations of wherein the tamper resistant feature comprises a cryptographic fingerprint that references a most recently closed data container in the series relative to the container comprising such tamper resistant feature, and wherein the change in the tamper resistant feature comprises a data container of the series of data containers being referenced in the cryptographic fingerprint of a following data container but no longer being present in the audit log.
11.	Therefore, claims 1, 19, and 20 and the respective dependent claims 2-4 and 6-18 are in condition for allowance.

Conclusion
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/KENDALL DOLLY/Primary Examiner, Art Unit 2436