Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Information Disclosure Statement
3.    The information disclosure statement (IDS) submitted on 03/25/2021, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
4.    No oath or declaration filed.

Drawings
5.    Applicant’s drawings filed on 09/25/2019 has been inspected and is in compliance with MPEP 608.01.
Specification
6.    Applicant’s specification filed on 09/25/2019 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
7.    NO objections warranted at initial time of filing for patent.

Remarks
8.	Examiner request Applicant review relevant prior art under the conclusion of this office action.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 1, 3, 4, 6, 7, 10 11, 13, 14, 16, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U .S. Patent No. 10438000 hereinafter Gu in view of U.S. Publication No. 10609066 hereinafter Nossik.

As per claim 1, Gu discloses:
A method for storing forensics-specific metadata (Col. 1 Lines 38-41 “The content of each specific image file in a user's backup set (or other type of file set on an endpoint) is analyzed, for example during a backup of the endpoint to a server or the like. Each analyzed image file is categorized based on the results of Col. 2 Lines 5-8 “Categorization metadata concerning each specific one of the image files in the file set is maintained. The categorization metadata concerning a specific image file describes its categorization based on the results of analyzing its content.”), 
the method comprising: 
generating a backup of user data stored on a computing device in accordance with a backup schedule (Col. 4 Lines 39-42 “As illustrated in FIG. 3, the backup image based recovery manager 101 runs in conjunction with a backend (e.g., server side, cloud based) component 305 of a backup system 301, whereas the endpoint agents 111 run in conjunction with endpoint (e.g., client side) components 303 of a backup system 301.” Col. 5 Lines 13-25 “The backup image based recovery manager 101 enables file recovery after a ransomware or other cryptographic attack based on analysis of a user's backup image files 307. As illustrated in FIG. 3, during the process of backing-up from endpoint 300A to the backend server 105, the backup image based recovery manager 101 analyzes the image files 307 in the backup set 309, and categorizes each image file 307 according to its content. As used herein, the term “backup set 309” refers to a set of files, folders and/or other resources designated for backup on a specific endpoint 300. The files in a backup set 309 can be, for example, automatically backed-up according to a schedule (e.g., daily. weekly, monthly, etc.).”); 
identifying, from a plurality of system metadata of the computing device, forensics- specific metadata of the computing device based on predetermined Col. 5 Lines 33-44 “The content-based categorization of image files 307 is described in detail below, and can be at any desired level of granularity. For example, specific image files 307 can be categorized as containing imagery of people, places, things, events, animals, etc. The content based categorization of image files 307 can also be supplemented with additional information describing the image files 307, such as identifiers of devices used to create image files 307, sources from which image files 307 were obtained, GPS coordinates of locations at which photographs were taken, etc. The categorization information concerning the image files 307 is stored as metadata 311 on the backend.”); 
generating a backup of the forensics-specific metadata in accordance with the backup schedule (Col. 5 Lines 45-57 “During a subsequent backup of the endpoint 300A, the image files 307 in the corresponding backup set 309 are checked against the corresponding stored categorization metadata 311. If the differences are above a given threshold, the endpoint computer 300A is adjudicated to having been subject to a file corrupting event such as a ransomware or other type of cryptographic attack, and a corresponding security action can be taken in response. For example, the backup can be terminated, the point at which the endpoint 300A was attacked can be determined, and a pre-attack backup of all the user's files (not just the image files 307) can be used to recover the user's data that was encrypted by the ransomware attack.”), 
307. For example, suppose the stored categorization metadata 311 pertaining to a specific image file 307 indicates that the image depicts, e.g., three specific people, whereas during the subsequent backup the categorization of the specific image file 307 does not match. The level of detected change could be more or less extreme depending upon the contents of the given image file 307 at the time of the subsequent backup. For example, the subsequent categorization could indicate that the image file 307 now contains a graphic depiction of text (very different), two of the original three specific people (moderately different) or three people two of whom are unchanged, and one of whom cannot be identified (somewhat less different), etc. Changes can also be detected across multiple images (e.g., 95% of the image files have changed, 30% of the image files have changed, 2% have changed, etc.). Generally, a certain amount of modification is to be expected, as users make certain edits to photographs and other types of image files 307, such as cropping, zooming, resizing, adjusting colors, etc. However, substantial changes, especially when made a cross a large percentage of the image files 307 in the backup set 309, can trigger suspicion.”); 
and in response to detecting the suspicious digital activity based on the analysis, generating a security event indicating that the suspicious digital activity has occurred (Col. 8 Lines 54-64 “In response to adjudicating the occurrence of a cryptographic attack, a security action executing module 411 of the backup 

	Gu does not discloses:
identifying, from a plurality of system metadata of the computing device, forensics- specific metadata of the computing device based on predetermined rules
wherein a backup of the forensics-specific metadata is stored separately from the backup of the user data

Nossik discloses:
identifying, from a plurality of system metadata of the computing device, forensics- specific metadata of the computing device based on predetermined rules and wherein a backup of the forensics-specific metadata is stored separately from the backup of the user data (Col. 13 Lines 56-67 “Data written to the cache storage tier 616 by the application processes 610 is subsequently written from the cache storage tier 616 to the COW storage tier 614 which makes one or more copies of the data. The COW storage tier 614 also generates metadata for each such copy of the data. The data and its one or more Col. 15 Lines 4-15 “In normal operation in the absence of a ransomware attack, the application processes 610 read data from the cache storage tier 616. The cache storage tier 616 fetches the most recent copy of the data from the WORM storage tier 612 via the COW storage tier 614. The application processes 610 write data to the cache storage tier 616. The COW storage tier 614 creates snapshots of the written data from the cache storage tier 616 and writes those snapshots to the WORM storage tier 612 while also sending the corresponding snapshot metadata to the metadata server 624. The WORM storage tier 612 encrypts the snapshots using DEKs from the KMS 622. The metadata server can update the COW snapshot policies in real time, and additionally or alternatively can implement periodic updates. It can also analyze the snapshot metadata and update the health status of the data flow in real time.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the backup system of Gu to include identifying, from a plurality of system metadata of the computing device, forensics- specific metadata of the computing device based on  Nossik.
The motivation would have been to properly associate and separately store data to control access to content.
 
As per claim 3, Gu in view of Nossik discloses:
The method of claim 1, wherein generating the security event further comprises requesting that a digital investigation be performed (Gu Col. 8 Line 65- Col. 9 Line 17).

As per claim 4, Gu in view of Nossik discloses:
The method of claim 1, wherein generating the security event further comprises restoring the computing device with a previous backup of the user data generated prior to the suspicious digital activity (Gu Col. 8 Lines 54-64).

As per claim 6, Gu in view of Nossik discloses:
The method of claim 1, wherein the forensics-specific metadata comprises at least one of: security privilege information (Gu Col. 1 Lines 62 – Col. 2 Lines 8)

As per claim 7, Gu in view of Nossik discloses:
The method of claim 1, further comprising: generating a notarization identifier of the backup of the forensics-specific metadata, wherein the notarization identifier is one of: a blockchain transaction identifier, a hash value, a digital signature, or a checksum; and storing the notarization identifier with the backup of the forensics-specific metadata (Nossik Col. 10 Lines 33-40, The motivation would have been to properly identify a backup of the metadata).

As per claim 10, Gu in view of Nossik discloses:
The method of claim 1, wherein generating the security event further comprises: identifying characteristics of the suspicious digital activity; identifying enhanced forensics-specific metadata based on the characteristics, wherein the enhanced forensics-specific metadata comprises characteristic-specific details of the suspicious digital activity; and generating subsequent backups of the enhanced forensics-specific metadata (Gu Col. 9 Lines 5-30).

As per claim 11, the implementation of the method of claim 1 will execute the system of claim 11. The claim is analyzed with respect to claim 1.

As per claim 13, the claim is analyzed with respect to claim 3.

As per claim 14, the claim is analyzed with respect to claim 4.

As per claim 16, the claim is analyzed with respect to claim 6.

As per claim 17, the claim is analyzed with respect to claim 7.

As per claim 20, the claim is analyzed with respect to claim 10.

10.	Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Gu in view of Nossik, and further in view of U.S. Publication No. 20190354443 hereinafter Haustein.

As per claim 2, Gu in view of Nossik discloses:
The method of claim 1, wherein generating the security event (Gu Fig. 5) 

Gu in view of Nossik does not disclose:
marking subsequent user data backups of the backup schedule as potentially affected by the suspicious digital activity

	Haustein discloses:
marking subsequent user data backups of the backup schedule as potentially affected by the suspicious digital activity (para 0102 “In one embodiment, the backup system 600 may include the malware detection module (MDM) 602 in the second server 508 to detect abnormal backup volumes, and a new backup index 604 that reflects versions of backup data that have been frozen. The backup system may implement a method to freeze backup versions for a set of backup objects.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the backup 
The motivation would have been to properly identify suspicious subsequent user backup. 

As per claim 12, the claim is analyzed with respect to claim 2.

11.	Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10438000 hereinafter Gu in view of U.S. Patent No. 10810088 hereinafter Gu2.

As per claim 5, Gu in view of Nossik discloses:
The method of claim 1, wherein generating the security event comprising backup schedule of the forensics-specific metadata (Gu Fig. 5) 

Gu in view of Nossik does not disclose:
increasing a frequency of generating backups in the backup schedule of the forensics-specific metadata

Gu2 discloses:
increasing a frequency of generating backups in the backup schedule of the forensics-specific metadata (Col. 7 Lines 52-61 “The policy 
increase frequency of backups for the system related to this particular user.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the backup system of Gu in view of Nossik to include increasing a frequency of generating backups in the backup schedule of the forensics-specific metadata, as taught by Gu2.
The motivation would have been to properly identify suspicious subsequent user backup. 

As per claim 15, the claim is analyzed with respect to claim 5.

12.	Claims 8, 9, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over U .S. Patent No. 10438000 hereinafter Gu in view of U.S. Publication No. 20190392146 hereinafter Gezalov.

As per claim 8, Gu in view of Nossik discloses:

	
Gu in view of Nossik does not disclose:
detecting, from the forensics-specific metadata, a process in the second backup that is not present in the first backup; and determining whether the process is trusted
and in response to determining that the process is not trusted, detecting the indication of the suspicious digital activity on the computing device

	Gezalov discloses:
detecting, from the forensics-specific metadata, a process in the second backup that is not present in the first backup; and determining whether the process is trusted (para 0033 “The backup module 210 saves a copy of an original file prior to the file being edited by an untrusted process. The backup module 210 receives a notification from the monitoring module 202 indicating a file has been opened for editing by an untrusted process that is not on an exclusions list. Responsive to receiving the notification, the backup module 210 saves a copy of the original file prior to the file being edited by the monitored process to log storage 220)
para 0025 “The filter module 204 determines whether a detected event matches an entry on an exclusions list. The exclusions list is stored in exclusion storage 230. An exclusions list is a set of entries that each specify a specific filtering parameter or combination of filtering parameters. The filtering parameters can identify event types based on processes, file characteristics, or combinations thereof. A filtering parameter identifying a process can be a process identifier (ID) or a location (e.g., directory) of an executable. A filtering parameter to identify a file characteristic can be a type of file (e.g., file extension), a location of a file (e.g., a directory or file path), or a combination thereof. If an entry on the exclusions list identifies a trusted process without further parameters, the filter module 204 operates to filter all events associated with the process including events associated with threads of the process. If an entry identifies a file characteristic without further parameters, the filter module 204 operates to filter all events by any process operating on a file having the specified file characteristics (e.g., operations on a particular specified type of file, operations on files stored to a particular specified file location, or a combination thereof). If an entry identifies both a process and a file characteristic (e.g., a file type, location, or combination thereof), the filter module 204 operates to filter all event corresponding to an action by the identified process on a file having the identified file characteristic.” Para 0036 “FIG. 3 is a flowchart illustrating an embodiment of a learning process for filtering events analyzed for ransomware detection. The 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the backup system of Gu in view of Nossik to include detecting, from the forensics-specific metadata, a process in the second backup that is not present in the first backup; and determining whether the process is trusted and in response to determining 
The motivation would have been to properly identify suspicious user process. 

As per claim 9, Gu in view of Nossik and Gezalov discloses:
The method of claim 8, wherein determining whether the process is trusted comprises: comparing the process to a plurality of known trusted processes listed in a data structure; and determining that no match between the process and a known trusted process in the plurality of known trusted processes exists (Gezalov para 0028 and 0036).

As per claim 18, the claim is analyzed with respect to claim 8.

As per claim 19, the claim is analyzed with respect to claim 9.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Publication No. 20190354443 “In one embodiment, the backup system 600 may include the malware detection module (MDM) 602 in the second server 508 to detect abnormal backup volumes, and 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491