Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1-13 and 15-20 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Selinger et al (US 10109166), hereafter Sel and Ladnai et al (US 20190258800), hereafter Lad have been fully considered and are persuasive. Claim(s) 14 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1-13 and 15-20 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Elizabeth (attorney) for filed amended claims:
1.	(Currently Amended) A computing platform, comprising:
at least one processor;
a communication interface communicatively coupled to the at least one processor; and
memory storing computer-readable instructions that, when are configured to be executed by the at least one processor[[,]] and cause the computing platform to:
receive, via the communication interface, from a first enterprise center monitoring system associated with a first enterprise location, information indicating that a first malicious event has been detected at the first enterprise location;
in response to receiving the information indicating that the first malicious event has been detected at the first enterprise location, capture first device information identifying a first plurality of devices present at the first enterprise location during a time period corresponding to the first malicious event;
store the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event;
after storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event, receive, via the communication interface, from a second enterprise center monitoring system associated with a second enterprise location, second device information identifying a second plurality of devices present at the second enterprise location;
identify that a first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location based on the second device information received from the second enterprise center monitoring system associated with the second enterprise location;
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate an alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event; 
send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event;
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track dwell time statistics associated with a user in possession of the first device; and
send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track the dwell time statistics associated with the user in possession of the first device.
2.	(Original) The computing platform of claim 1, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at a staffed enterprise service center.

3.	(Original) The computing platform of claim 1, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at an automated enterprise service center.

4.	(Original) The computing platform of claim 1, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
generating one or more commands directing the first enterprise center monitoring system to scan for devices present at the first enterprise location; and
sending, to the first enterprise center monitoring system, the one or more commands directing the first enterprise center monitoring system to scan for devices present at the first enterprise location.

5.	(Original) The computing platform of claim 4, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
receiving, from the first enterprise center monitoring system, forensic data associated with one or more devices that have scanned for available wireless connections at the first enterprise location.

6.	(Original) The computing platform of claim 1, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
capturing information identifying at least one device present at the first enterprise location before the time period corresponding to the first malicious event; and
capturing information identifying at least one device present at the first enterprise location after the time period corresponding to the first malicious event.

7.	(Original) The computing platform of claim 1, wherein storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
generating a unique device signature for each device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event; and
storing the unique device signature generated for each device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event.

8.	(Original) The computing platform of claim 1, wherein storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
storing a timestamp, location identifier, and event-type identifier for each device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event.

9.	(Original) The computing platform of claim 1, wherein storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
filtering out at least one enterprise-affiliated device from the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event.

10.	(Original) The computing platform of claim 1, wherein receiving the second device information identifying the second plurality of devices present at the second enterprise location comprises receiving, from the second enterprise center monitoring system, forensic data associated with one or more devices that have scanned for available wireless connections at the second enterprise location.

11.	(Original) The computing platform of claim 1, wherein identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location comprises identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location based on a unique device signature generated for the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event.

12.	(Original) The computing platform of claim 1, wherein generating the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event comprises:
inserting a timestamp, location identifier, and event-type identifier obtained from the first device information into the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event.

13.	(Original) The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing a video surveillance system at the second enterprise location to capture one or more images of a user in possession of the first device; and
send, via the communication interface, to the video surveillance system at the second enterprise location, the one or more commands directing the video surveillance system at the second enterprise location to capture the one or more images of the user in possession of the first device, wherein sending the one or more commands directing the video surveillance system at the second enterprise location to capture the one or more images of the user in possession of the first device to the video surveillance system at the second enterprise location causes the video surveillance system at the second enterprise location to take and store the one or more images of the user in possession of the first device.

14.	(Cancelled) 

15.	(Original) The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track motion pattern data associated with a user in possession of the first device; and
send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track the motion pattern data associated with the user in possession of the first device.

16.	(Previously Presented) A method, comprising:
at a computing platform comprising at least one processor, a communication interface, and memory:
receiving, by the at least one processor, via the communication interface, from a first enterprise center monitoring system associated with a first enterprise location, information indicating that a first malicious event has been detected at the first enterprise location;
in response to receiving the information indicating that the first malicious event has been detected at the first enterprise location, capturing, by the at least one processor, first device information identifying a first plurality of devices present at the first enterprise location during a time period corresponding to the first malicious event;
storing, by the at least one processor, the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event;
after storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event, receiving, by the at least one processor, via the communication interface, from a second enterprise center monitoring system associated with a second enterprise location, second device information identifying a second plurality of devices present at the second enterprise location;
identifying, by the at least one processor, that a first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location based on the second device information received from the second enterprise center monitoring system associated with the second enterprise location;
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generating, by the at least one processor, an alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event; 
sending, by the at least one processor, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event;
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track dwell time statistics associated with a user in possession of the first device; and
send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track the dwell time statistics associated with the user in possession of the first device.

17.	(Original) The method of claim 16, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at a staffed enterprise service center.

18.	(Original) The method of claim 16, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at an automated enterprise service center.

19.	(Original) The method of claim 16, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises:
generating one or more commands directing the first enterprise center monitoring system to scan for devices present at the first enterprise location; and
sending, to the first enterprise center monitoring system, the one or more commands directing the first enterprise center monitoring system to scan for devices present at the first enterprise location.

20.	(Currently Amended) One or more non-transitory computer-readable media storing instructions that, when are configured to be executed by a computing platform comprising at least one processor, a communication interface, and memory[[,]] and cause the computing platform to:
receive, via the communication interface, from a first enterprise center monitoring system associated with a first enterprise location, information indicating that a first malicious event has been detected at the first enterprise location;
in response to receiving the information indicating that the first malicious event has been detected at the first enterprise location, capture first device information identifying a first plurality of devices present at the first enterprise location during a time period corresponding to the first malicious event;
store the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event;
after storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event, receive, via the communication interface, from a second enterprise center monitoring system associated with a second enterprise location, second device information identifying a second plurality of devices present at the second enterprise location;
identify that a first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location based on the second device information received from the second enterprise center monitoring system associated with the second enterprise location;
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate an alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event; 
send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event;
in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track dwell time statistics associated with a user in possession of the first device; and
send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track the dwell time statistics associated with the user in possession of the first device.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Sel teaches C5,6L65-67, 1-2: the security checkpoint hardware apparatus detects the presence of an unrecognized or foreign device and indicates the presence of an unauthorized individual or potential threat and (C6L27-29) a security checkpoint network is used to triangulate the location of a particular mobile device; C1L42-48: security system that monitors the radio frequency signals generated by mobile phones and similar mobile computing devices to then create a unique identifier or "fingerprint" for each such mobile device and (C2L15-18) record all mobile devices that are in range of the system as potential suspect devices, compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices; C6L40-43: the database of fingerprints enables the filtering and sorting of data to determine movement patterns and potentially early warning of crimes; C2L45-50: monitoring an area for the presence of a mobile device, detecting one or more radio signals emitted by the mobile device, generating a device fingerprint that positively identifies a mobile device, and uploading the device fingerprint to a device fingerprint database to be accessed by a network of other security checkpoints; C6L13-20: each security checkpoint in the network captures and contribute certain details about a given mobile device that were not captured by other checkpoints in the network and in turn the network creates a more certain and unique "fingerprint" for a given device, if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect; C6L13-20: if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect and (C8L7-13) the security checkpoint determines whether any foreign or unrecognized devices are in the area and flag those for further consideration. Additionally, the security checkpoint filters and compare information in the database to determine if there is any correlation or pattern between the mobile device(s) that were in the vicinity at similar crimes, the security checkpoint then use that pattern information to provide alerts to citizens and law enforcement when one of those flagged device(s) enters a monitored area; C6L43-49: the database can be filtered to see what devices were in an area when a crime occurred and whether any of those same devices were in a different area when a similar crime occurred. This information is then used to provide an alert when any of those devices enter an area that is covered by one of the security checkpoints that are integrated with the database.

Further, a second prior art of record Lad teaches [0007] a number of events, for an identified computing object with an IP address, within the sequence of events are preserved for a predetermined time window, where the predetermined time window has a different duration for at least two types of computing objects and [0028, 37] and in a plurality of geographical locations and policies are defined for ...network location, time of day... or the like.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: identifying that a first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location based on the second device information received from the second enterprise center monitoring system associated with the second enterprise location and in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generating an alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event and sending to the second enterprise center monitoring system associated with the second enterprise location, the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event and in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track dwell time statistics associated with a user in possession of the first device and send to the second enterprise center monitoring system associated with the second enterprise location, the one or more commands directing the second enterprise center monitoring system associated with the second enterprise location to track the dwell time statistics associated with the user in possession of the first device.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 16 and 20 mutatis mutandis.  Claim(s) 14 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/BADRINARAYANAN /Examiner, Art Unit 2496.