DETAILED ACTION
Response to Amendment
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2021-12-07. Claims 1-3, 5, 7-16, 18-20 are pending, following Applicant's cancellation of claims 4, 6, 17.  Claims 1, 15 is/are independent.
The objections to informalities in the claims are withdrawn in view of Applicant’s amendments.
The rejection(s) of claims under 35 U.S.C. § 112 are withdrawn in view of Applicant’s amendments.
The rejection(s) of claims under 35 U.S.C. § 101 are withdrawn in view of Applicant’s amendments.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).


Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
With respect to amended claim(s) 1 (see page(s) 11-12 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, U.S. Patent 9038177 to Tierney (hereinafter "Tierney '177") in view of U.S. Publication 20210011999 to Bennett et al. (hereinafter "Bennett '999")) does not disclose “generating an acquisition cryptographic hash 
Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above.


Claim Rejections - 35 U.S.C. § 112
The following is a quotation of 35 U.S.C. § 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claim(s) 1-3, 5, 7-14, 19 is/are rejected under 35 U.S.C. § 112(b) or 35 U.S.C. § 112 ¶ 2 (pre-AIA ) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Dependent claims 1-3, 5, 7-14 are rejected for the reasons presented above with respect to rejected claims 1 and in view of their dependence thereon.


Summary of Claim Rejections under 35 U.S.C. § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Tierney '177 in view of Vashisht '967 
Tierney '177 in view of Vashisht '967 in view of Harris '517 
Tierney '177 in view of Vashisht '967 in view of Murphey '032 
1
[Wingdings font/0xFC]


2
[Wingdings font/0xFC]


3
[Wingdings font/0xFC]


5
[Wingdings font/0xFC]


7
[Wingdings font/0xFC]


8

[Wingdings font/0xFC]

9
[Wingdings font/0xFC]


10


[Wingdings font/0xFC]
11

[Wingdings font/0xFC]

12
[Wingdings font/0xFC]


13
[Wingdings font/0xFC]


14
[Wingdings font/0xFC]





Tierney '177 in view of Vashisht '967 in view of Elovici '061 
Tierney '177 in view of Vashisht '967  in view of Elovici '061 in view of Murphey '032 
15
[Wingdings font/0xFC]

16
[Wingdings font/0xFC]

18
[Wingdings font/0xFC]

19
[Wingdings font/0xFC]

20

[Wingdings font/0xFC]



Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1-3, 5, 7, 9, 12-14 is/are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Patent 9038177 to Tierney (hereinafter "Tierney '177") in view of U.S. Publication 20190207967 to Vashisht et al. (hereinafter "Vashisht '967").  Tierney '177 is prior art to the claims under 35 U.S.C. § 102(a)(1).  Vashisht '967 is prior art to the claims under 35 U.S.C. § 102(a)(1) and § 102(a)(2).
Per claim 1 (independent):
Tierney '177 discloses a method for conducing cyber investigations (receives cyber threat and investigates [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39])
Tierney '177 discloses in an information processing apparatus comprising one computer processor (processor(s), memory, computer readable media, storage, executable instructions [Tierney '177 c. 9 l. 45-61])
Tierney '177 discloses receiving initiation of an investigative workflow comprising contextual information including a cyber investigative case, a cyber investigative subject, and/or a cyber investigative threat (receives cyber threat and investigates [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39])
Tierney '177 discloses collecting digital evidence for the contextual information from an electronic data asset (collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26])
Tierney '177 does not disclose generating an acquisition cryptographic hash of the collected digital evidence
Tierney '177 does not disclose storing the acquisition cryptographic hash with a timestamp of collection as collection metadata in an evidence tracking system
Tierney '177 discloses processing the digital evidence into structured data (processes unstructured and structured data into stored structured data [Tierney '177 c. 3 l. 18 - 55])
Tierney '177 discloses staging and enriching the structured data (enriches structured stored data with additional sources, logical inferences [Tierney '177 c. 3 l. 66 – c. 5 l. 25])
Tierney '177 discloses analyzing the enriched structured data (analyzes enriched data, e.g. by expert system [Tierney '177 c. 5 l. 58 – c6 l. 45] or artificial intelligence [Tierney '177 c. 5 l. 58 – 67])
Tierney '177 discloses generating at least one report based on the analysis (generates reports and graphical displays [Tierney '177 c. 4 l. 16 – 47, c. 5 l . 58 – c. 6 l. 26]])
Further:
Vashisht '967 discloses generating an acquisition cryptographic hash of the collected digital evidence (timestamps evidence collected and verdicts reached [Vashisht '967 ¶ 0042, 0049, 0108-0115]; stores hashes of evidence collected [Vashisht '967 ¶ 0042, 0049, 0108-0115])
Vashisht '967 discloses storing the acquisition cryptographic hash with a timestamp of collection as collection metadata in an evidence tracking system (timestamps evidence collected and verdicts reached [Vashisht '967 ¶ 0042, 0049, 0108-0115]; stores hashes of evidence collected [Vashisht '967 ¶ 0042, 0049, 0108-0115])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the hash verification of Vashisht '967 to arrive at an apparatus, method, and product including:
generating an acquisition cryptographic hash of the collected digital evidence
storing the acquisition cryptographic hash with a timestamp of collection as collection metadata in an evidence tracking system
A person having ordinary skill in the art would have been motivated to combine them at least because hash verification would demonstrate that the evidence upon which the conclusions of the cyber investigation system of Tierney '177 rely has not been altered since it was collected.  A person having ordinary skill in the art would have been further motivated to 
Per claim 2 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 discloses the electronic data asset comprises an end point system comprising an agent that interacts with an end point detection and response system (end point asset [Tierney '177 c. 9 l. 19-61]); collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26])
Per claim 3 (dependent on claim 2):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference
Tierney '177 discloses the end point detection and response system instruments the collection from the electronic data asset and stores the collected data in an archive file format in an evidence storage system (end point asset [Tierney '177 c. 9 l. 19-61]); collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26]; processes unstructured and structured data into stored structured data [Tierney '177 c. 3 l. 18 - 55])
Per claim 5 (dependent on claim 4):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 4 above, incorporated herein by reference
Tierney '177 does not disclose regenerating a cryptographic hash of the collected data on a subsequent access, and comparing the regenerated cryptographic hash to the acquisition cryptographic hash
Further:
Vashisht '967 discloses regenerating a cryptographic hash of the collected data on a subsequent access, and comparing the regenerated cryptographic hash to the acquisition cryptographic hash (timestamps evidence collected and verdicts reached [Vashisht '967 ¶ 0042, 0049, 0108-0115]; stores hashes of evidence collected [Vashisht '967 ¶ 0042, 0049, 0108-0115])
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the hash verification of Vashisht '967 to arrive at an apparatus, method, and product including:
regenerating a cryptographic hash of the collected data on a subsequent access, and comparing the regenerated cryptographic hash to the acquisition cryptographic hash
Per claim 7 (dependent on claim 1 ):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 discloses the contextual metadata comprises a file system artifact, an operating system artifact, and/or an application artifact (extracts data and metadata from, e.g. an email, and stores in structured format [Tierney '177 c. 2 l. 62 – c. 3 l. 65])
Per claim 9 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 discloses the step of analyzing the enriched structured data comprises correlating the enriched structured data across data sets (correlates data sets [Tierney '177 c. 7 l. 11-29, c. 4l. 29-37, c. 5 l. 7-25])
Per claim 12 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 discloses identifying a suspicious event based on known indicators of compromise (IOCs) (compares event to stored known patterns [Tierney '177 c. 5 l. 8-27, c. 3 l. 66 – c. 4 l. 27, c. 7 l. 11-39])
Per claim 13 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 discloses identifying a suspicious event based on a known pattern (compares event to stored known patterns [Tierney '177 c. 5 l. 8-27, c. 3 l. 66 – c. 4 l. 27, c. 7 l. 11-39])
Per claim 14 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 discloses using machine learning to identify suspicious events that contain unknown indicators and originate from unknown patterns (artificial intelligence, patterns, anomalies [Tierney '177 c. 5 l. 58 – 67, c. 3 l. 66 – c. 4 l. 27])
Claim(s) 8, 11 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Tierney '177 in view of Vashisht '967 in view of U.S. Publication 20140324517 to Harris (hereinafter "Harris '517").  Harris '517 is prior art to the claims under 35 U.S.C. § 102(a)(1).
Per claim 8 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 does not disclose the step of analyzing the enriched structured data comprises searching the enriched structured data using exploratory data analysis
Further:
Harris '517 discloses the step of analyzing the enriched structured data comprises searching the enriched structured data using exploratory data analysis (exploratory data 
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the exploratory data analysis of Harris '517 to arrive at an apparatus, method, and product including:
the step of analyzing the enriched structured data comprises searching the enriched structured data using exploratory data analysis
A person having ordinary skill in the art would have been motivated to combine them at least because exploratory data analysis provides tools for characterizing a data set and identifying normal and anomalous patterns, which, as Harris '517 explains, is particularly useful in sifting the vast amounts of data common in cyber investigations.  A person having ordinary skill in the art would have been further motivated to combine them at least because Harris '517 teaches [Harris '517 ¶ 0033, 0017, 0036, 0007-0008, 0037] modifying a cyber investigation system [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39] such as that of Tierney '177 to arrive at the claimed invention; because doing so constitutes use of a known technique (exploratory data analysis [Harris '517 ¶ 0033, 0017, 0036]) to improve similar devices and/or methods (cyber investigation system [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39]) in the same way; because doing so constitutes applying a known technique (exploratory data analysis [Harris '517 ¶ 0033, 0017, 0036]) to known devices and/or methods (cyber investigation system [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by 
Per claim 11 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 does not disclose identifying outliers in the data using statistical charting of the data
Further:
Harris '517 discloses identifying outliers in the data using statistical charting of the enriched structured data (exploratory data analysis, statistical charting, identification of outliers [Harris '517 ¶ 0033, 0017, 0036]; cyber investigation system [Harris '517 ¶ 0007-0008, 0037])
For the reasons detailed above with respect to claim 8, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the exploratory data analysis of Harris '517 to arrive at an apparatus, method, and product including:
identifying outliers in the data using statistical charting of the enriched structured data
Claim(s) 10 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Tierney '177 in view of Vashisht '967 in view of U.S. Publication 20190098032  to Murphey et al. (hereinafter "Murphey '032").  Murphey '032 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 10 (dependent on claim 1):
Tierney '177 in view of Vashisht '967 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Tierney '177 does not disclose constructing an event timeline from time-series data in the enriched structured data
Further:
Murphey '032 discloses constructing an event timeline from time-series data in the enriched structured data (uses time series to identify patterns and compares to transitions of known attack graph [Murphey '032 ¶ 0071, 0232 ]; cyber investigation system including improved SIEM  [Murphey '032 ¶ 0170-0172]; generates timeline reports [Murphey '032 ¶ 0140, 0183, 0184, 0232-0233, Fig. 26])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the event timelines of Murphey '032 to arrive at an apparatus, method, and product including:
constructing an event timeline from time-series data in the enriched structured data
A person having ordinary skill in the art would have been motivated to combine them at least because event timelines provide tools for characterizing a data set and identifying normal and anomalous patterns, which, as Murphey '032 explains, is particularly useful in sifting the vast amounts of data common in cyber investigations.  A person having ordinary skill in the art would have been further motivated to combine them at least because Murphey '032 teaches [Murphey '032 ¶ 0170-0172] modifying a cyber investigation system [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39] such as that of Tierney '177 to arrive at the claimed invention  [Murphey '032 ¶ Murphey '032 ¶ 0071, 0140, 0183, 0184, 0232-0233, Fig. 26]; because doing so constitutes use of a known technique (event timelines [Murphey '032 ¶ Murphey '032 ¶ 0071, 0140, 0183, 0184, 0232-0233, Fig. 26]) to improve similar devices and/or methods (cyber investigation system [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39]) in the same way; .
Claim(s) 15-16, 18-19 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Tierney '177 in view of Vashisht '967 in view of U.S. Publication 20210084061 to Elovici et al. (hereinafter "Elovici '061").  Elovici '061 is prior art to the claims under 35 U.S.C. § 102(a)(2).
Per claim 15 (independent):
Tierney '177 discloses a system for conducing cyber investigations (receives cyber threat and investigates [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39]; cyber threat data collection and analysis system [Tierney '177 Figs. 1, 3])
Tierney '177 discloses a plurality of data assets (end point asset [Tierney '177 c. 9 l. 19-61]); collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26])
Tierney '177 does not disclose a plurality of virtualized containers
Tierney '177 discloses a Security Information and Event Management ("SIEM") platform (cyber threat data collection and analysis system [Tierney '177 Figs. 1, 3])
Tierney '177 discloses a data analytics platform (enriches structured stored data with additional sources, logical inferences [Tierney '177 c. 3 l. 66 – c. 5 l. 25])
Tierney '177 discloses a data analysis pipeline (analyzes enriched data, e.g. by expert system [Tierney '177 c. 5 l. 58 – c6 l. 45] or artificial intelligence [Tierney '177 c. 5 l. 58 – 67])
Tierney '177 discloses an evidence tracking system (receives cyber threat and investigates [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39]; cyber threat data collection and analysis system [Tierney '177 Figs. 1, 3])
Tierney '177 discloses an orchestration platform comprising at least one computer processor (collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26]; processor(s), memory, computer readable media, storage, executable instructions [Tierney '177 c. 9 l. 45-61])
Tierney '177 discloses the orchestration platform receives initiation of an investigative workflow comprising contextual information including at least one of a case, at least one of the data assets, a subject, and a threat (receives cyber threat and investigates [Tierney '177 c.  c. 2 l. 62 – c. 3 l. 16, c. 7 l. 29-39])
Tierney '177 discloses the orchestration platform collects digital evidence from the data asset (collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26])
Tierney '177 does not disclose the orchestration platform generates an acquisition cryptographic hash of the collected digital evidence
Tierney '177 does not disclose the orchestration platform stores the acquisition cryptographic hash with a timestamp of collection as collection metadata in the evidence tracking system
Tierney '177 does not disclose the virtualized containers process the digital evidence into structured data
However, Tierney '177 discloses the systems process the digital evidence into structured data (processes unstructured and structured data into stored structured data [Tierney '177 c. 3 l. 18 - 55])
Tierney '177 discloses the SIEM platform and the data analytics platform stage and enrich the structured data (enriches structured stored data with additional sources, logical inferences [Tierney '177 c. 3 l. 66 – c. 5 l. 25]; cyber threat data collection and analysis system [Tierney '177 Figs. 1, 3])
Tierney '177 discloses the data analysis pipeline analyzes the enriched structured data (analyzes enriched data, e.g. by expert system [Tierney '177 c. 5 l. 58 – c6 l. 45] or artificial intelligence [Tierney '177 c. 5 l. 58 – 67])
Tierney '177 discloses the orchestration platform generates at least one report based on the analysis (generates reports and graphical displays [Tierney '177 c. 4 l. 16 – 47, c. 5 l . 58 – c. 6 l. 26]])

Vashisht '967 discloses the orchestration platform generates an acquisition cryptographic hash of the collected digital evidence (timestamps evidence collected and verdicts reached [Vashisht '967 ¶ 0042, 0049, 0108-0115]; stores hashes of evidence collected [Vashisht '967 ¶ 0042, 0049, 0108-0115])
Vashisht '967 discloses the orchestration platform stores the acquisition cryptographic hash with a timestamp of collection as collection metadata in the evidence tracking system (timestamps evidence collected and verdicts reached [Vashisht '967 ¶ 0042, 0049, 0108-0115]; stores hashes of evidence collected [Vashisht '967 ¶ 0042, 0049, 0108-0115])
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the hash verification of Vashisht '967 to arrive at an apparatus, method, and product including:
the orchestration platform generates an acquisition cryptographic hash of the collected digital evidence
the orchestration platform stores the acquisition cryptographic hash with a timestamp of collection as collection metadata in the evidence tracking system
Further:
Elovici '061 discloses a plurality of virtualized containers (workflow containers process evidence separately [Elovici '061 ¶ 0071, 0082]; cyber investigation platform including SIEM stores data collected by agents [Elovici '061 ¶ 0045])
Elovici '061 discloses the virtualized containers process the digital evidence into structured data (workflow containers process evidence separately [Elovici '061 ¶ 0071, 0082]; cyber investigation platform including SIEM stores data collected by agents )
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with virtualized containers of Elovici '061 to arrive at an apparatus, method, and product including:
a plurality of virtualized containers
the virtualized containers process the digital evidence into structured data

Per claim 16 (dependent on claim 15):
Tierney '177 in view of Vashisht '967 in view of Elovici '061 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
Tierney '177 discloses an end point detection and response system (collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26])
Tierney '177 discloses an evidence storage system (processes unstructured and structured data into stored structured data [Tierney '177 c. 3 l. 18 - 55]; databases [Tierney '177 c. 6 l. 62 – c. 7 l. 10, c. 8 l. 20 – 43])
Tierney '177 discloses the data asset comprises an agent that interacts with the end point detection and response system, and the end point detection and response system instruments the collection from the data assets and stores the collected data in an archive file format in the evidence storage system (end point asset [Tierney '177 c. 9 l. 19-61]); collects telemetry [Tierney '177 c. 3 l. 6-17]; collects PII scan, virus scan from asset [Tierney '177 c. 7 l. 29-39, c. 6 l. 16-26]; processes unstructured and structured data into stored structured data [Tierney '177 c. 3 l. 18 - 55])
Per claim 18 (dependent on claim 15 ):
Tierney '177 in view of Vashisht '967 in view of Elovici '061 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
Tierney '177 does not disclose the orchestration platform regenerates a cryptographic hash of the collected data on a subsequent access, and compares the regenerated cryptographic hash to the acquisition cryptographic hash
Further:
Vashisht '967 discloses the orchestration platform regenerates a cryptographic hash of the collected data on a subsequent access, and compares the regenerated cryptographic hash to the acquisition cryptographic hash (timestamps evidence collected and verdicts reached [Vashisht '967 ¶ 0042, 0049, 0108-0115]; stores hashes of evidence collected [Vashisht '967 ¶ 0042, 0049, 0108-0115])
For the reasons detailed above with respect to claim 1, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the hash verification of Vashisht '967 to arrive at an apparatus, method, and product including:
the orchestration platform regenerates a cryptographic hash of the collected data on a subsequent access, and compares the regenerated cryptographic hash to the acquisition cryptographic hash
Per claim 19 (dependent on claim 15):
Tierney '177 in view of Vashisht '967 in view of Elovici '061 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
Tierney '177 discloses the structured data is enriched by adding contextual metadata to data objects in the structured data  (enriches structured stored data with additional sources, logical inferences [Tierney '177 c. 3 l. 66 – c. 5 l. 25])
Tierney '177 discloses the contextual metadata comprising a file system artifact, an operating system artifact, and/or an application artifact  (extracts data and metadata from, e.g. an email, and stores in structured format [Tierney '177 c. 2 l. 62 – c. 3 l. 65])
Claim(s) 20 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Tierney '177 in view of Vashisht '967 in view of Elovici '061 in view of Murphey '032.
Per claim 20 (dependent on claim 15):
Tierney '177 in view of Vashisht '967 in view of Elovici '061 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
Tierney '177 does not disclose the report comprises an event timeline from time-series data
Further:
Murphey '032 discloses the report comprises an event timeline from time-series data (uses time series to identify patterns and compares to transitions of known attack graph [Murphey '032 ¶ 0071, 0232 ]; cyber investigation system including improved SIEM  [Murphey '032 ¶ 0170-0172]; generates timeline reports [Murphey '032 ¶ 0140, 0183, 0184, 0232-0233, Fig. 26])
For the reasons detailed above with respect to claim 10, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Tierney '177 with the event timelines of Murphey '032 to arrive at an apparatus, method, and product including:
the report comprises an event timeline from time-series data

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/THEODORE C PARSONS/Primary Examiner, Art Unit 2494