DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 23 February 2022 has been entered.
 

Information Disclosure Statement
	An Information Disclosure Statement (IDS) has not been submitted as of the mailing of the last Office Action dated 23 November 2021. Applicant is reminded of the continuing obligation under 37 CFR 1.56 to timely apprise the Office of any information which is material to patentability of the claims under consideration in this application.




Introductory Remarks
	In response to communications filed on 23 February 2022, claims 1-3, 8, 11-13, and 20-21 have been amended per Applicant's request as seen in the Examiner’s amendment below. Claims 17 and 22-24 are cancelled. No claims were withdrawn. Claims 25-27 are new. Therefore, claims 1-16, 18-21 and 25-27 are presently pending in the application, of which claims 1, 11, and 20 are presented in independent form.

The previously raised objection of the claim 12 is withdrawn in view of the amendments to the claims.
The previously raised 103 rejection of the pending claims is withdrawn in view of the Examiner’s amendments to the claims.





Response to Arguments
Applicant’s arguments with respect to the rejection of the claims under 35 U.S.C. 103 have been considered but are moot in view of the Examiner’s amendments to the claims.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Applicant on 13 June 2022.

The application has been amended as follows:

1. 	(Currently Amended) A computer program product comprising a non-transitory computer-readable medium storing a set of computer-readable instructions, the set of computer-readable instructions comprising instructions executable on a computer that has an operating system with a notification interface to:
use a monitoring hook into the notification interface of the operating system to receive an event;
provide a forensic artifact filter coupled to the monitoring hook, the forensic artifact filter comprising code executable to:
for the event received using the monitoring hook, evaluate the event according to a forensic artifact definition to determine if the event represents a change to a forensic artifact, wherein evaluating the event according to the forensic artifact definition to determine if the event represents the change to the forensic artifact comprises determining that a registry path included in the event corresponds to a ShellBag artifact; and
based on a determination that the event represents the change to the forensic artifact, output a forensic artifact filter output that includes event information for the event, the event information including an indication of the forensic artifact; 
based on the forensic artifact filter output, collect, at the computer, forensic metadata associated with the forensic artifact but not included in the forensic artifact filter output and apply a forensic analysis to the forensic artifact to generate a result that indicates a first activity with respect to the forensic artifact, the forensic metadata including a user identifier for a user of the operating system who carried out the first activity, wherein applying the forensic analysis to the forensic artifact comprises parsing the ShellBag artifact to determine a folder browsed and reconstructing a folder path for the folder browsed; 
generate in real-time, at the computer, a forensically interpreted activity for the event, the forensically interpreted activity comprising a human-understandable description of the folder path for the folder browsed, the first activity 
store the forensically interpreted activity in a digital forensics store for the computer.

2. 	(Currently Amended) The computer program product of claim 1, wherein the set of computer-readable instructions comprises instructions executable to implement a filter driver, the filter driver comprising the forensic artifact filter.

3. 	(Currently Amended) The computer program product of claim 1, wherein the set of computer-readable instructions comprises: 
a set of code libraries, each code library in the set of code libraries corresponding to a different type of forensic artifact; and
code executable to map the event information to a first code library from the set of code libraries, the first code library executable to perform said applying the forensic analysis to the forensic artifact to generate the result, [[and]] said generating the forensically interpreted activity, and said storing the forensically interpreted activity.

4. 	(Original) The computer program product of claim 1, wherein the set of computer-readable instructions comprises code executable to register a callback with the notification interface of the operating system.

5. 	(Original) The computer program product of claim 4, wherein the set of computer-readable instructions comprises a callback routine for the callback, the callback routine comprising the forensic artifact filter. 

6. 	(Previously presented) The computer program product of claim 1, wherein the set of computer-readable instructions comprises instructions executable to: 
set the monitoring hook to receive registry key change notifications, wherein the event specifies a registry key, the registry key located at a registry path location, and wherein evaluating the event according to the forensic artifact definition comprises determining that the event represents the change to the forensic artifact based on the registry path location of the registry key.

7. 	(Previously presented) The computer program product of claim 1, wherein the set of computer-readable instructions comprises instructions executable to: 
set the monitoring hook to receive file change notifications, wherein the event specifies a file, the file located at a file path location, wherein evaluating the event according to the forensic artifact definition comprises determining that the event represents the change to the forensic artifact based on the file path location of the file.

8.	(Currently Amended) The computer program product of claim 1, wherein the set of computer-readable instructions comprises a template activity description and wherein said generating the forensically interpreted activity for the event comprises inserting the forensic metadata and the result into the template activity description.

9.	(Original) The computer program product of claim 1, wherein the forensic artifact filter outputs the forensic artifact filter output as an out-of-band output.

10.	(Original) The computer program product of claim 1, wherein the change to the forensic artifact comprises at least one of a creation of the forensic artifact, an update to the forensic artifact or a deletion of the forensic artifact.

11. 	(Currently Amended) A method for real-time digital forensic instrumentation comprising:
on a computer comprising a processor and an operating system with a notification interface, using a monitoring hook into the notification interface of the operating system to receive an event;
the processor applying a forensic artifact filter to the event, wherein applying the forensic artifact filter comprises:
evaluating the event according to a forensic artifact definition to determine if the event represents a change to a forensic artifact, including determining that a registry path included in the event corresponds to a ShellBag artifact; and
based on a determination that the event represents the change to the forensic artifact, generating a forensic artifact filter output that includes event information for the event, the event information including an indication of the forensic artifact; and	
based on the forensic artifact filter output, the processor collecting forensic metadata associated with the forensic artifact but not included in the forensic artifact filter output and applying a forensic analysis to the forensic artifact to generate a result that indicates a first activity with respect to the forensic artifact, the forensic metadata including a user identifier for a user of the computer who carried out the first activity, wherein applying the forensic analysis to the forensic artifact comprises parsing the ShellBag artifact to determine a folder browsed and reconstructing a folder path for the folder browsed; 
the processor generating, in real-time, a forensically interpreted activity for the event, the forensically interpreted activity comprising a human-understandable description of the folder path for the folder browsed, the first activity and the user who carried out the first activity
the processor storing the forensically interpreted activity in a digital forensics store for the computer.

12. 	(Currently Amended) The method of claim 11, wherein set of computer-readable instructions [[are]] comprises instructions executable to implement a filter driver, the filter driver comprising the forensic artifact filter.

13. 	(Currently Amended) The method of claim 11, further comprising: 
providing a set of code libraries, each code library in the set of code libraries corresponding to a different type of forensic artifact; and
the processor mapping the event information to a first code library from the set of code libraries and executing the first code library to perform said applying the forensic analysis to the forensic artifact to generate the result, [[and]] said generating the forensically interpreted activity and storing the forensically interpreted activity.

14. 	(Original) The method of claim 11, comprising registering a callback with the notification interface of the operating system.

15. 	(Original) The method of claim 14, comprising providing a callback routine for the callback, the callback routine comprising the forensic artifact filter. 

16. 	(Previously presented) The method of claim 11, wherein: 
receiving the event using the monitoring hook comprises receiving a registry key change notification for a registry key at a registry path location; and
evaluating the event according to the forensic artifact definition comprises determining that the registry key is the forensic artifact based on the registry path location of the registry key.

17. 	(Cancelled) 

18.	(Previously presented) The method of claim 11, wherein generating the forensically interpreted activity for the event comprises inserting the forensic metadata and the result into a template activity description.

19.	(Original) The method of claim 11, wherein the change to the forensic artifact comprises at least one of a creation of the forensic artifact, an update to the forensic artifact or a deletion of the forensic artifact.

20.	(Currently Amended) A system comprising:
a processor;
a computer-readable medium storing an operating system having a notification interface and a set of computer-readable instructions, the set of computer-readable instructions executable to configure the processor with real-time forensic instrumentation, the real-time forensic instrumentation comprising:
a monitoring hook into the notification interface of the operating system to receive an event;
a forensic artifact filter coupled to the monitoring hook, the forensic artifact filter comprising code executable to:
for the event received using the monitoring hook, evaluate the event according to a forensic artifact definition to determine if the event represents a change to a forensic artifact, wherein evaluating the event according to the forensic artifact definition to determine if the event represents the change to the forensic artifact comprises determining that a registry path included in the event corresponds to a ShellBag artifact; and
based on a determination that the event represents the change to the forensic artifact, generate a forensic artifact filter output that includes event information for the event, the event information including an indication of the forensic artifact; and
a forensic interpreter subsystem coupled to the forensic artifact filter, the forensic interpreter subsystem comprising code executable to:
based on the forensic artifact filter output, collect forensic metadata associated with the forensic artifact but not included in the forensic artifact filter output and apply a forensic analysis to the forensic artifact to generate a result that indicates a first activity with respect to the forensic artifact, the forensic metadata including a user identifier for a user of the operating system who carried out the first activity, wherein applying the forensic analysis to the forensic artifact comprises parsing the ShellBag artifact to determine a folder browsed and reconstructing a folder path for the folder browsed; 
generate a forensically interpreted activity for the event, the forensically interpreted activity comprising a human-understandable description of the folder path for the folder browsed, the first activity , and the user who carried out the first activity; and
store the forensically interpreted activity in a digital forensics store.

21.	(Currently Amended) The method of claim 11, wherein receiving the event using the monitoring hook comprises receiving a file change notification, wherein the event specifies a file, and wherein evaluating the event according to the forensic artifact definition comprises determining that the event represents the change to the forensic artifact based on [[the]] a file path location of the file.

22.	(Cancelled)

23.	(Cancelled)

24.	(Cancelled)

25. 	(New) The system of claim 20, wherein the set of computer-readable instructions comprises: 
a set of code libraries, each code library in the set of code libraries corresponding to a different type of forensic artifact; and
code executable to map the event information to a first code library from the set of code libraries, the first code library executable to perform said applying the forensic analysis to the forensic artifact to generate the result, said generating the forensically interpreted activity, and said storing the forensically interpreted activity.

26. 	(New) The system of claim 20, wherein the set of computer-readable instructions comprises: 
a callback routine, wherein the callback routine comprises the forensic artifact filter; and
code executable to register a callback for the callback routine with the notification interface of the operating system.

27. 	(New) The system of claim 20, wherein the set of computer-readable instructions comprises instructions executable to: 
set the monitoring hook to receive registry key change notifications, wherein the event specifies a registry key, the registry key located at a registry path location, and wherein evaluating the event according to the forensic artifact definition comprises determining that the event represents the change to the forensic artifact based on the registry path location of the registry key.







REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance: an updated search was performed, and the following prior art was identified as relevant:
Zhu et al. (“Zhu”) (US 2011/0276770 A1): disclosed a registry analysis tool in the context of forensic investigation of computers, including “Shellbag information” stored in folders Software/Microsoft/Windows/Shell (Zhu, [0063] and [0068]). Zhu does not appear to teach, suggest, or otherwise render obvious all the limitations of Claims 22-24 pertaining to the ShellBag artifact.
NPL references Duranec et al. and Soltani et al. (see PTO-892 for more detail) include the use of Shellbag information in forensic analysis, but do not appear to teach, suggest, or otherwise render obvious all the limitations of Claims 22-24 pertaining to the ShellBag artifact.

No prior art appeared to teach, suggest, or render obvious the combination of the independent claims’ limitations. The dependent claims are allowable for at least by virtue of their dependency on their respective independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IRENE BAKER whose telephone number is (408)918-7601. The examiner can normally be reached M-F 8-5PM PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NEVEEN ABEL-JALIL can be reached on (571)270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IRENE BAKER/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        
14 June 2022