DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 19 May, 2021 has been entered.
Examiner Amendment
2.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with VISHAL KHATRI on May 20, 2021.

IN THE CLAIMS                                                                                                                                                                          
The claims are amended as follows:
33.	(Currently Amended) A non-transient computer-readable medium having instructions stored therein for execution by at least one processor, when the instructions are executed by the at least one processor a method is performed comprising:
	identifying a target processing device suspected of, or exhibiting, indications of anomalous conditions;
	extracting data from a specified range of a volatile memory of the target processing device;
	reconstructing data structures and artifacts from the extracted data; and
	generating and presenting a visualization of the reconstructed data structures and the reconstructed artifacts, in the form of at least one of a table layout, a tree layout, a graph layout, and/or a cross-view layout, to assess the condition of the target processing device; and
providing a plurality of analysis methods for evaluating a state of the target processing device, the plurality of analysis methods performing at least one of determining differences from a known good state, detecting indications of known attacker activity, detecting indications of malware being present, detecting heuristics associated with suspicious activity, detecting discrepancies in logical relationships among the reconstructed artifacts, and determining whether policies or standards have been violated; 
	wherein the plurality of analysis methods comprises at least one of scripts, database queries, byte sequence signatures, string matching, and comparison of registry key values.

34.	(Cancelled) 

35.	(Cancelled)

36.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:
	presenting indications of suspicious activity or indications of abnormal conditions to a user; and
	providing a facility for the user to bookmark and annotate artifacts.

37.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:
	correlating information within the volatile memory with data stored in at least one other data source to determine existence of inconsistencies or anomalies.

38.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:	
	providing a graphical user interface and a scriptable interface for formulating queries and performing other types of analysis.

39.	(Original) The non-transient computer-readable medium of claim 38, wherein the method further comprises:	
	generating, managing, and/or sharing detection methods for detecting anomalous conditions using artifacts displayed with the graphical user interface.


	importing at least one other detection method for detecting the anomalous conditions using the artifacts displayed with the graphical user interface.

41.	(Previously Presented) The non-transient computer-readable medium of claim 39, wherein the method further comprises:
	collecting metrics regarding effectiveness of the detection algorithms; and
	sending the collected metrics to at least one other processing device for remote analytics.

42.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:
	automatically evaluating capabilities of memory resident executables and associated file formats by analyzing imported libraries and exported methods for inconsistencies or anomalies. 

43.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:	
	providing a facility to associate a response action with at least one analytic pattern.

44.	(Original)  The non-transient computer-readable medium of claim 43, wherein the response actions include at least one of querying new types of data, generating an alert, and/or halting a process.

45.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:	
	importing or generating whitelists of normal known, or trusted, conditions;
	sharing the whitelists; and 
	managing the whitelists.

46.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:	
	extracting metadata based on the extracted data; 
	storing the metadata, the metadata describing a system state and including a subset of original 

47.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:	
	providing a facility for distributing the stored metadata to a group of users.

48.	(Previously Presented) The non-transient computer-readable medium of claim 33, wherein the method further comprises:
	reconstructing data stores based on data found in cached memory of the processing device.

49.	(Previously Presented) A non-transient computer-readable medium having instructions stored therein for execution by at least one processor, when the instructions are executed by the at least one processor a method is performed comprising:
	identifying a target processing device suspected of, or exhibiting, indications of anomalous conditions;
extracting data from a specified range of a volatile memory of the target processing device;
	reconstructing data structures and artifacts from the extracted data; and
	generating and presenting a visualization of the reconstructed data structures and the reconstructed artifacts, in the form of at least one of a table layout, a tree layout, a graph layout, and/or a cross-view layout, to assess the condition of the target processing device; and
	providing a plurality of analysis methods for evaluating a state of the target processing device, the plurality of analysis methods performing at least one of determining differences from a known good state, detecting indications of known attacker activity, detecting indications of malware being present, detecting heuristics associated with suspicious activity, detecting discrepancies in logical relationships among the reconstructed artifacts, and determining whether policies or standards have been violated;
	wherein the plurality of analysis methods include scripts, database queries, byte sequence signatures, string matching, and comparison of registry key values.

Response to Arguments
2.	Applicant’s arguments with respect to the rejection of the pending claims over prior arts of record have been fully considered and are persuasive.  
Allowable Subject Matter
3.	Claims 33 and 36-49 are allowed over the Prior Art of record.
4.        The following is an examiner’s statement of reasons for allowance:
The best prior art of record found to record are Levy (U.S. No. 2012/0158737 A1), Ismael (U.S. No. 2015/0096025 A1), Saxe (U.S. No. 9,940,459 B1), Simonson (U.S. No. 6,803,930 B1), Thomas (U.S. No. 2012/0079596 A1), Zorn (U.S. No. 2010/0205674 A1), Nabutovsky (U.S. No. 2011/0078550 A1), and Wood (U.S. No. 2009/0290492 A1) which teach the claimed invention however fails to disclose the limitations of providing a plurality of analysis methods for evaluating a state of the target processing device, the plurality of analysis methods performing at least one of determining differences from a known good state, detecting indications of known attacker activity, detecting indications of malware being present, detecting heuristics associated with suspicious activity, detecting discrepancies in logical relationships among the reconstructed artifacts, and determining whether policies or standards have been violated; wherein the plurality of analysis methods comprises at least one of scripts, database queries, byte sequence signatures, string matching, and comparison of registry key values that the instant method uses as claimed in independent claim 1.  
Hence the prior art of record fails to teach the invention as set forth in claims 5 – 10 and Examiner cannot find specific teaching of the invention, nor reasons within the cited art to combine the elements of these references other than applicant's own reasoning.  
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to jeffrey c pwu whose telephone number is (571)272-6798.  The examiner can normally be reached on 8-4.
-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAMUEL AMBAYE/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433