Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Matthew Nigriny on 2/4/2022.

The application has been amended as follows: 

1.           A computer-implemented method for automatic collection, analysis and reporting of a cybersecurity threat, the method comprising:
              providing a first graphical user interface portion designed to receive a selection of one or more types of forensic artifacts to collect from one or more data source designations, wherein the one or more data source designations correspond to data sources including forensic artifacts that can be searched and collected;
configuring a standalone executable computer program to collect forensic artifacts indicating removal of data by a departing employee on a remote client system computer a plurality of  types of forensic artifacts to collect and the one or more data source designations, the types of forensic artifacts comprising electronic records of recently accessed files, printing history, deletion of a file, editing of a file, downloading a file into a removable storage, installed applications, internet history, sending an email, sending  a text message, and capturing an image;  
              executing the standalone executable computer program on a volume shadow copy of the remote client system computer to (1) automatically collect the forensic artifacts based on the selection of the plurality of  types of forensic artifacts and the one or more data source designations with the interface, wherein collecting the forensic artifacts comprises obtaining the forensic artifacts from archived data corresponding to system data from a date earlier than a date of an execution of the executable computer program, (2) store the collected forensic artifacts in a temporary data storage, and (3) encrypt the collected forensic artifacts into an encrypted data package;
              receiving the encrypted data package from the standalone executable computer program, wherein the encrypted data package includes the forensic artifacts automatically collected by the executable computer program;
              decrypting the encrypted data package to produce decrypted forensic artifacts;
              automatically analyzing the decrypted forensic artifacts using a forensic toolset based on one or more analytic routines and one or more analysis queries, wherein the forensic toolset comprises a set of forensic tools that output analysis results;
              presenting through a second graphical user interface portion an option to select a plurality of  types of output reports, wherein the plurality of  types of output reports comprise an output report customized for a plurality of different 
              receiving a selection of the one or more types of output reports;
              responsive to the selection, automatically generating the one or more types of output reports; and 
              communicating the one or more types of output reports.



11.           A computer-implemented system for automatic collection, analysis and reporting of a cybersecurity event, the system comprising:
            a memory; 
and a computer processor that is programmed to:
provide a first graphical user interface portion designed to receive a selection of one or more types of forensic artifacts to collect from one or more data source designations, wherein the one or more data source designations correspond to data sources including forensic artifacts that can be searched and collected;
configure a standalone executable computer program to collect forensic artifacts indicating removal of data by a departing employee on a remote client system computer based on the selection of a plurality of  types of forensic artifacts to collect and the one or more data source designations, the types of forensic artifacts comprising electronic records of recently accessed files, printing history, deletion of a file, editing of 
              execute the standalone executable computer program on a volume shadow copy of the remote client system computer to (1) automatically collect the forensic artifacts based on the selection of the plurality of  types of forensic artifacts and the one or more data source designations with the interface, wherein collecting the forensic artifacts comprises obtaining the forensic artifacts from archived data corresponding to system data from a date earlier than a date of an execution of the executable computer program, (2) store the collected forensic artifacts in a temporary data storage, and (3) encrypt the collected forensic artifacts into an encrypted data package;
              receive, at an investigator/consultant’s operation center, the encrypted data package from the standalone executable computer program, wherein the encrypted data package includes the forensic artifacts automatically collected by the executable computer program;
              decrypt, at the investigator/consultant’s operation center, the encrypted data package to produce decrypted forensic artifacts;
              automatically analyzing the decrypted forensic artifacts using a forensic toolset based on one or more analytic routines and one or more analysis queries, wherein the forensic toolset comprises a set of forensic tools that output analysis results;
              presenting through a second graphical user interface portion an option to select a plurality of  types of output reports, wherein the plurality of  types of output reports comprise an output report customized for a plurality of different types of forensic investigations including departing employee investigations and an output 
              receive a selection of the one or more types of output reports;
              responsive to the selection, automatically generating the one or more types of output reports; and 
              communicate the one or more types of output reports.



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965. The examiner can normally be reached 7:30 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is 





/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495