Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 and 11 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 10 of U.S. Patent No. 11/075,935. Although the claims at issue are not identical, they are not patentably distinct from each other claims 1 and 11 or the instant invention are clearly anticipated by claims 1 and 10 of the U.S patent.  Specifically:
Instant application
US Patent 11/075,935
Claim 1:
A computer-implemented method for automatic collection, analysis and reporting of a cybersecurity threat the method comprising: 
providing a first graphical user interface portion designed to receive a selection of one or more types of forensic artifacts to collect from one or more data source designations, wherein the one or more data source designations correspond to data sources including forensic artifacts that can be searched and collected; 
configuring an executable computer program to collect forensic artifacts on a remote client system computer based on the selection of one or more types of forensic artifacts to collect and the one or more data source; 



executing the executable computer program on the remote client system computer to automatically collect the forensic artifacts based on the selection of the one or more types of forensic artifacts and the one or more data source designations with the interface, wherein collecting the forensic artifacts comprises obtaining the forensic artifacts from archived data corresponding to system data from a date earlier than a date of an execution of the executable computer program; 



receiving an encrypted data package, wherein the encrypted data package includes the forensic artifacts automatically collected by the executable computer program; 
decrypting the encrypted data package to produce decrypted forensic artifacts; 
automatically analyzing the decrypted forensic artifacts (e.g. Jones, 83, 84, 89) using a forensic toolset based on one or more analytic routines and one or more custom queries (e.g. Jones, 85, 102, 104, 107), wherein the forensic toolset comprises a set of forensic tools that output analysis results; 


presenting through a second graphical user interface portion an option to select one or more types of output reports, wherein the one or more types of output reports comprise an output report customized for a plurality of different types of forensic investigations and target audience; 


receiving a selection of the one or more types of output reports; 

responsive to the selection, automatically generating the one or more types of output reports; 

and communicating the one or more types of output reports. 


1. A computer-implemented method for automatic collection, analysis and reporting of a cybersecurity threat, the method comprising:
        providing a graphical user interface designed to receive (i) a selection of one or more types of forensic artifacts to collect relating to a departing employee and (11) one or more data source designations, wherein the one or more data source designations correspond to data sources including forensic artifacts that can be searched and collected;
     creating a standalone executable computer program to collect forensic artifacts on a remote client system based on the selection of one or more types of forensic artifacts to collect and one or 
        
      transmitting the executable computer program to a client computer to enable the client computer to execute the executable computer program on the client’s remote client system computer to automatically collect the forensic artifacts based on the selection of the one or more types of forensic artifacts and the one or more data source designations with the interface, wherein collecting the forensic artifacts comprises obtaining the forensic artifacts from archived data corresponding to system data from a date earlier than a date of an execution of the executable computer program; 

      receiving from the client computer an encrypted data package, wherein the encrypted data package includes the 
        decrypting the encrypted data package to produce decrypted forensic artifacts; 
      using a forensic toolset to automatically analyze the decrypted forensic artifacts, wherein the forensic toolset comprises a set of forensic tools that output analysis results, wherein analyzing the decrypted forensic artifacts is based on one or more analytic routines and one or more custom queries comprising a departing employee analysis;
       presenting through the graphical user interface an option to select one or more of at least two types of output reports, wherein the two types of output reports comprise an output report customized for a plurality of different types of forensic investigations and an output report customized for the technical proficiency of 
       receiving from the client computer a selection of one or more of the at least two types of output reports; 
       inputting the analysis results into an automatic report generator to automatically generate the types of output    reports selected by the client computer;
       and sending the selected output reports to the client computer.

Claim 10 is essentially similar and anticipates the instant claim in the same manner as shown above.



Drawings

The drawings are objected to under 37 CFR 1.83(a).  The drawings must show every feature of the invention specified in the claims.  Therefore, the features of:
“…wherein the first graphical user interface portion and the second graphical user interface portion are part of a single interface…”; “… wherein the first graphical user interface portion and the second graphical user interface portion are separate…”; and “… wherein the one or more types of output reports are communicated through the second graphic user interface portion…”  must be shown or the feature(s) canceled from the claim(s).  No new matter should be entered.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.


Specification

The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required: 
The specification fails to provide proper antecedent basis for the recitations of:
“custom queries” as found within claims 1, 6, 11, and 16.  The examiner notes that the term “custom queries” is not used within the specification.  Furthermore, the originally filed specification provides no indication for understanding the difference between a “custom” query (as claimed) and any other programmed or designed query.  
“…analyzing the decrypted forensic artifacts using a forensic toolset based on one or more analytic routines and one or more custom queries …” as found within claims 1 and 11.  Specifically, the applicant’s specification discloses that the system generates reports by performing “analysis queries” (see par. 58) and that the automated analysis is performed by querying a database (e.g. see par. 59).  However, the applicant’s specification fails to clearly illustrate how forensic artifacts are said to be automatically analyzed based on one or more analytic routines and one or more custom queries.
“… whitelisting/blacklisting; …”
“…artifact classification and correlation …” as found within claims 6 and 16. The applicant’s specification does not appear to disclose “artifact classification and correlation”. 
“…processing the decrypted data … based on the one or more analytic routines and the one or more custom queries comprising one or more of the following: data enrichment; whitelisting/blacklisting; program execution analysis; and artifact classification and correlation …” as found within claims 6 and 16.   For example, the applicant’s specification fails to disclose analytic routines and custom queries comprising “data enrichment”.  For example, the applicant’s specification fails to disclose analytic routines and custom queries comprising “data enrichment”.  For example, the applicant’s specification fails to disclose analytic routines and custom queries comprising “whitelisting/blacklisting”.  For example, the applicant’s specification fails to disclose analytic routines and custom queries comprising “program execution analysis”.  For example, the applicant’s specification fails to disclose analytic routines and custom queries comprising “artifact classification and correlation”.  
“…wherein the first graphical user interface portion and the second graphical user interface portion are part of a single interface…”; “… wherein the first graphical user interface portion and the second graphical user interface portion are separate…”; and “… wherein the one or more types of output reports are communicated through the second graphic user interface portion…” as found recited within claims 8 – 10 and 18 – 20.

  
Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1 – 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  Applicant has not pointed out where the new (or amended) claim is supported, nor does there appear to be a written description of the claim limitations in the application as filed (see above objection to the specification).   

	Furthermore, regarding claims 6 and 16, the applicant’s specification fails to clearly and adequately disclose the use of “data enrichment”.  Specifically, the examiner generally refers to the use of a complete and current knowledge base of computer hardware, software, and services, worldwide, for the purpose of providing a comprehensive and complete forensic analysis. (see par. 67).  However, the examiner notes that one of ordinary skill in the art is not familiar with any such database comprising complete and current knowledge of worldwide hardware, software, and services.  Furthermore, the applicant’s disclosure never illustrates or explains the existence of such database.  Therefore, the applicant’s specification does not adequately disclose the usage of “data enrichment”.




The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 – 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

	Regarding claims 1, 6, 11, and 20, the term “custom queries” renders the scope of the claims indefinite.  Specifically, the examiner notes that the meaning of the term 

	Regarding claims 6 and 11, the recitation “… one or more analytic routines and the one or more custom queries comprising …: data enrichment ..” renders the scope of the claims indefinite.  Specifically, the term “data enrichment” does not possess a single, standardized meaning by those having ordinary skill in the art.  Furthermore, the examiner notes that the applicant’s own disclosure fails to provide any clear and concrete definition for the term.  Instead, the applicant provides only an indefinite (e.g. “generally refers to”) and non-limiting example (“this database preferably contains …as one example”) of the usage of database, unknown to those having ordinary skill in the art, comprising complete and current knowledge of worldwide hardware, software, and services (e.g. see Specification, par. 67).  The examiner notes that this claimed concept is foreign to those having ordinary skill in the art and is, therefore, indefinite.
 
Regarding claims 6 and 11, the recitation “… one or more analytic routines and the one or more custom queries comprising … whitelisting/blacklisting …” renders the scope of the claims indefinite.  Specifically, it is unclear to one of ordinary skill in the art as to how a forensic analytic routine is said to comprise “whitelisting/blacklisting”.  

Regarding claims 6 and 11, the recitation “… one or more analytic routines and the one or more custom queries comprising … program execution analysis …  ” renders the scope of the claims indefinite.  Specifically it is unclear to one of ordinary skill in the art as to how a custom query is said to comprise “program execution analysis”.  

Regarding claims 6 and 11, the recitation “… one or more analytic routines and the one or more custom queries comprising … artifact classification and correlation …” renders the scope of the claims indefinite.  Specifically it is unclear to one of ordinary skill in the art as to how a custom query is said to comprise “artifact classification and correlation”.  

Regarding claims 2 and 12, the recitation “… wherein the executable computer program is customized to perform collection of a specific set of targeted data …” renders the scope of the claims indefinite.  Specifically, it is unclear as to the distinction between the presently recited “targeted data” and that of the “forensic artifacts” recited within the independent claims.  The applicant’s specification (including claims 4 and 14) clearly appears to show that the “forensic artifacts” is equivalent to the data that is targeted for collection (i.e. “targeted data”).  

 wherein obtaining targeted data comprises…” renders the scope of the claims indefinite.  Specifically, there is insufficient antecedent basis for the limitation of obtaining targeted data within the claims.  

Regarding claims 7 and 17, the recitation “…wherein the ..artifacts … relate to … a departing employee; a removable storage analysis, a file execution analysis, a timeline analysis and an incident response”, renders the scope of the claims indefinite. Specifically, the examiner notes that it is unclear to one of ordinary skill in the art as to how exactly a collected artifact is further defined by the characterization of “…a departing employee; a removable storage analysis, a file execution analysis, a timeline analysis and an incident response”.  The examiner points out that an “artifact” (i.e. data/electronic record) is structurally the same, regardless of any characterization such being related to a “departing”/”current” employee.  Furthermore, the examiner notes that things such as, a removable storage analysis, a file execution analysis, a timeline analysis and an incident response, do not appear to be inherent or implied characteristics of an artifact, but are rather representative only of an intended use of the collected artifact. 

Depending claims are rejected by virtue of dependency.


The following is a quotation of 35 U.S.C. 112(d):


The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 2 and 12 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Specifically, it is noted that the parent claims 1 and 11 already recite the selection of forensic artifacts to collect (i.e. a “specific set of targeted data”), and the configuring (i.e. “customizing”) of an executable computer program to collect such selected or specified forensic artifacts.  Thus, claims 2 and 12 do not appear to further limit the subject matter of claims 1 and 11.  
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1 – 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Jones et al. (Jones), US 2018/0063182 A1.

	Regarding claim 1, Jones discloses:
A computer-implemented method for automatic collection, analysis and reporting of a cybersecurity threat (e.g. Jones, Abstract) the method comprising: 
providing a first graphical user interface portion (e.g. Jones, fig. 2a – 2j) designed to receive a selection of one or more types of forensic artifacts to collect from one or more data source designations (e.g. Jones, fig. 2d:251; fig. 2F:261,264; fig. 2G:262,266; fig. 2i:270; par. 18, 43, 77), wherein the one or more data source designations correspond to data sources including forensic artifacts that can be searched and collected (e.g. Jones, par. 43, 44); 
configuring an executable computer program to collect forensic artifacts on a remote client system computer based on the selection of one or more types of forensic artifacts to collect and the one or more data source designations (e.g. Jones, fig. 3:304; par. 80); 
executing the executable computer program on the remote client system computer to automatically collect the forensic artifacts based on the selection of the one or more types of forensic artifacts and the one or more data source designations with the interface (e.g. Jones, fig. 3:306, 308; par. 81, 84), wherein collecting the forensic artifacts comprises obtaining the forensic artifacts from archived data corresponding to system data from a date earlier than a date of an execution of the executable computer program (e.g. Jones, par. 18, 43, 44, 66, 89, 110); 
receiving an encrypted data package, wherein the encrypted data package includes the forensic artifacts automatically collected by the executable computer program (e.g. Jones, fig. 3:308, 310; par. 82, 88, 99); 
decrypting the encrypted data package to produce decrypted forensic artifacts (e.g. 83, 101); 
automatically analyzing the decrypted forensic artifacts (e.g. Jones, 83, 84, 89) using a forensic toolset based on one or more analytic routines and one or more custom queries (e.g. Jones, 85, 102, 104, 107), wherein the forensic toolset comprises a set of forensic tools that output analysis results (e.g. Jones, 18, 48, 57); 
presenting through a second graphical user interface portion an option to select one or more types of output reports (e.g. Jones, fig. 2A; fig. 2C; fig. 2D:253, 255; fig. 2E:281; fig. 2F:265, view results; fig. 2G:267, view results; fig. 2H:269, view results; par. 51, 53 – herein a plurality of reports, e.g. test reports, results reports, can be selected), wherein the one or more types of output reports comprise an output report customized for a plurality of different types of forensic investigations and target audience (e.g. Jones, fig. 2A; par. 34, 68, 73, 74); 
receiving a selection of the one or more types of output reports (e.g. Jones, par. 64, 66, 68, 73, 74; fig. 2D:253, 255; fig. 2E:281; fig. 2F:265, view results; fig. 2G:267, view results; fig. 2H:269, view results); 
responsive to the selection, automatically generating the one or more types of output reports (e.g. Jones, par. 64, 66, 68, 73, 74; fig. 2D:255; fig. 2E:281; fig. 6:606A, B ); 
and communicating the one or more types of output reports (e.g. Jones, par. 68, 73, 74; fig. 3:324; fig. 4:413; fig. 5:514; fig. 6:610). 


Regarding claim 2, Jones discloses:
wherein the executable computer program is customized to perform collection of a specific set of targeted data (e.g. Jones, par. 43, 44, 48). 

Regarding claim 3, Jones discloses:
wherein the graphical user interface comprises one or more categories relating to one or more forensic artifacts for collection, the one or more categories corresponding to forensic events (e.g. Jones, fig. 2D: 251; fig. 2F:264; fig. 2i:270). 

Regarding claim 4, Jones discloses:
wherein obtaining targeted data comprises obtaining one or more types of forensic artifacts from a system (e.g. Jones, par. 43, 44, 48). 


wherein obtaining the targeted data comprises obtaining the forensic artifacts from at least one of: user accessible storage and volume shadow copy space (e.g. Jones, par. 43, 44, 48, 56). 

Regarding claim 6, Jones discloses:
wherein processing the decrypted data is based on the one or more analytic routines and the one or more custom queries comprising one or more of the following: data enrichment; whitelisting/blacklisting; program execution analysis; and artifact classification and correlation (e.g. Jones, par. 13, 16, 54, 55). 

Regarding claim 7, Jones discloses:
wherein the one or more types of forensic artifacts to collect relate to one or more of: a departing employee; a removable storage analysis, a file execution analysis, a timeline analysis and an incident response (e.g. Jones, par. 13, 16, 54, 55). 

Regarding claim 8, Jones discloses:
wherein the first graphical user interface portion and the second graphical user interface portion are part of a single interface (e.g. Jones, fig. 7:710; par. 142). 

Regarding claim 9, Jones discloses:
wherein the first graphical user interface portion and the second graphical user interface portion are separate (e.g. Jones, fig. 2A – 2J). 

Regarding claim 10, Jones discloses:
wherein the one or more types of output reports are communicated through the second graphic user interface portion (e.g. Jones, fig. 7:710; par. 142; fig. 2D:253, 255; fig. 2E:281; fig. 2F:265, view results; fig. 2G:267, view results; fig. 2H:269, view results). 

Regarding claims 11 – 20, they comprise essentially similar recitations as the claims above, and they are rejected for, at least, the same reasons.

Furthermore, regarding claim 11, Jones discloses:
A computer-implemented system for automatic collection, analysis and reporting of a cybersecurity event, the system comprising: a memory; and a computer processor that is programmed … (e.g. Jones, fig. 7; claim 9).


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	


If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEFFERY L WILLIAMS/           Primary Examiner, Art Unit 2495