DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-22 are pending.

Priority
Acknowledgement is made of applicant's claim for priority based on application 62/885,588 filed on 08/12/2019.

Claim Objections
Claims --1, 12, and 22 are objected to because of the following informalities:  
“the operation” in line 9 of claim 1 lacks antecedent basis.
“the distributed digital forensic workflow” in line 10 of claim 1 lacks antecedent basis.
“the at least one data-collecting agent device” in line 7 of claim 12 and line 10 of claim 22 lacks antecedent basis.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
 (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3-9, 12, 14-20, and 22 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Bennett (US 20210011999).

Claim 1, Bennett discloses A forensic investigation system for conducting distributed digital forensic processing, the system comprising: 
one or more agent computing devices comprising: at least one data-collecting agent device operable to collect digital forensic data; (e.g. fig. 1, ¶16-19, 22-23: collecting forensic data) and at least one processing agent device operable to conduct at least a portion of the distributed digital forensic processing on the digital forensic data; (e.g. fig. 1, ¶24-25, 27: hashing and encrypting the collected forensic data for securely transport, combining collected forensic information, filtering out certain types of evidence to reduce redundancy)
a central computing device for managing the operation of the one or more agent computing devices for conducting the distributed digital forensic workflow, the central computing device operable to communicate with the one or more agent computing devices via at least one data communication network; and (e.g. fig. 1, ¶16, 24-25: controlling the operation of the LFECs, making the evidence collectors start collecting forensic data, receiving the collected forensic data from the evidence collection mechanisms or LFECs for analysis and storage)
a data storage device for storing the digital forensic data collected by the at least one data-collecting agent device.  (e.g. fig. 1, ¶16, 24, 27: storing the collected forensic data)

Claim 3, Bennett discloses The system of claim 1, wherein the at least one data-collecting agent device is preconfigured to collect the digital forensic data from a target device. (e.g. fig. 1, e.g. ¶16-19, 23, 25)

Claim 4, Bennett discloses The system of claim 1, wherein the at least one data-collecting agent device is a target device. (e.g. ¶16-19, 23, 25)

Claim 5, Bennett discloses The system of claim 1, wherein the at least one data-collecting agent device is remotely provisioned to be operable to collect the digital forensic data.  (e.g. fig. 1, ¶16-19, 23, 25)

Claim 6, Bennett discloses The system of claim 5, wherein, following remote provisioning, the central computing device is operable to transmit one or more commands to the at least one data-collecting agent device to collect the digital forensic data. (e.g. fig. 1, ¶25)

Claim 7, Bennett discloses The system of claim 6, wherein, in response to receiving the one or more commands, the at least one data-collecting agent device is operable to collect the digital forensic data and transmit the digital forensic data. (e.g. fig. 1, ¶16-19, 24-25)

Claim 8, Bennett discloses The system of claim 7, wherein the at least one data-collecting agent device transmits the digital forensic data to the central computing device.  (e.g. fig. 1, ¶16, 24)

Claim 9, Bennett discloses The system of claim 7, wherein the at least one data-collecting agent device transmits the digital forensic data to the data storage device. (e.g. ¶27)

Claims 12 and 22, these claims are rejected for similar reasons as in claim 1.


Claim 14, this claim is rejected for similar reasons as in claim 3.

Claim 15, this claim is rejected for similar reasons as in claim 4.

Claim 16, this claim is rejected for similar reasons as in claim 5.

Claim 17, this claim is rejected for similar reasons as in claim 6.

Claim 18, this claim is rejected for similar reasons as in claim 7.

Claim 19, this claim is rejected for similar reasons as in claim 8.

Claim 20, this claim is rejected for similar reasons as in claim 9.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bennett (US 20210011999) in view of Rahaman (US 20160020959).

Claim 2, Bennett discloses The system of claim 1, wherein the central computing device is operable to allocate the one or more agent computing devices based on a forensic investigation associated with the collected digital forensic data.  (e.g. fig. 1, ¶16-19, 23, 25)
Although Bennett discloses the central computing device is operable to allocate the one or more agent computing devices based on a forensic investigation associated with the collected digital forensic data (see above), Bennett does not appear to explicitly disclose but Rahaman discloses based on a priority status of a forensic investigation associated with the collected digital forensic data (e.g. ¶17, 21, 34-35, 74).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Rahaman into the invention of Bennett for the purpose of empowering clients and customers in some on-demand forensic investigations (Rahaman, ¶17).

Claim 13, this claim is rejected for similar reasons as in claim 2.

Claims 10, 11 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Bennett (US 20210011999) in view of Sood (US 20170161501).

Claim 10, Bennett discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Sood discloses wherein the one or more agent computing devices further comprise at least one virtual computing device. (e.g. fig. 4, ¶20, 47)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Sood into the invention of Bennett for the purpose of securely forwarding forensic data of a network function virtualization network architecture to a security audit and forensic database (Sood, ¶47).

Claim 11, Bennett-Sood discloses The system of claim 10, wherein the at least one virtual computing device is accessible by the central computing device via a virtual private network.  (Bennett, e.g. ¶24 and Sood, e.g. fig. 4, ¶44, 47, 62).  Same motivation as in claim 10 would apply.

Claim 21, this claim is rejected for similar reasons as in claim 10.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20160149938 discloses the collection of the forensic data may be performed by the server 130 using a plurality of agents 115-1 through 115-N installed respectively on the user devices 110. Each of the agents 115 may be implemented as an application program having instructions that may reside in a memory of the respective user device 110. Each agent 115 is communicatively connected to the server 130 over the network 120…each agent 115 is configured to monitor the activity of the respective user device 110 over the network 120 and collect forensic data respective thereof. The forensic data is then sent to the server 130 for further analysis. The server 130 includes a memory and a processor…the forensic data may be sent for storage to a database 140 communicatively coupled to the server 130 over, for example, the network 120. According to yet another exemplary embodiment, the forensic data collected by an agent 115 may be sent directly to the database 140 over the network 120. The database 140 is accessible by the server 130, thereby enabling the server 130 to analyze the forensic data upon demand.

US 20120191660 discloses a system wherein forensic data is automatically gathered from one or more monitored systems and transferred to a forensic analysis apparatus. More particularly, in some example embodiments, activity on a monitored apparatus is automatically monitored (e.g., periodically) and forensic data is transferred to a forensic analysis apparatus, which may gather forensic data over a period of time from one or more monitored apparatuses. In accordance with some such example embodiments, the forensic analysis apparatus receives the forensic data from the monitored apparatus and processes and stores the data for analysis. 

US 10257216 discloses a system for obtaining and analyzing forensic data in a distributed computer infrastructure, said system comprising: multiple computation devices; at least one monitoring unit; at least one analysis unit; and an operating unit; wherein said computation devices are connected to one another via a communication network, and each computation device is configured to detect security events and to send them to the monitoring unit, and the monitoring unit is configured to rate the received security events and to assign them a danger category, wherein when there is insufficient information for assigning a danger category, each computation device is configured to receive instructions for collecting additional forensic data for rating the security event and to send the collected, additional data to the monitoring unit, and the monitoring unit is configured to transmit instructions for collecting additional data to the computation device, and, following reception of the collected, additional data, to evaluate said data and to use them for fresh rating and assignment of a danger category, wherein the analysis unit is configured to transmit a software agent to the computation device for installation and activation on the computation device, and wherein the software agent is configured to ascertain additional data in the computation device and to send them to the analysis unit, wherein the analysis unit processes the additional data and sends the processed additional data to the monitoring unit, wherein the monitoring unit again rates the security events by assigning a weighting factor to the security events and the processed additional data and by assigning a danger category if the sum of the weighting factors exceeds a threshold value, and the monitoring unit reports the danger category to the operating unit, and wherein the operating unit takes an action based on the reported danger category. 

US 20180307833 discloses log information may be processed by an agent 58, which in some cases may associate the logged information with additional forensic data gathered from user land application program interfaces of the operating system, like those described elsewhere herein. In some embodiments, the agent 58 may apply various criteria to determine whether the resulting aggregate information indicates a potential attack is occurring, and in some cases report this information into the cloud for further processing and aggregation and correlation across different computing devices, for instance by the security event processing system 14. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436