Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to application filed on 8/28/2020. Claims 1,8 and 15 are independents. Claims 1-20 are currently pending.

Claim Object
Claim 8 is objected. The claim recites “the system comprising:\”. It should be “the system comprising:”. 
Appropriate correction is required.

Claim Rejections -35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Rowland et al. (WO_2019160427_A1), hereinafter Rowland, in view of Lengyel et al. (Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System, ACM 978-1-4503-3005-3/14/12), hereinafter Lengyel.

	Regarding claims 1, 8 and 15, Rowland teaches [a] method for preventing anti-forensics actions (p.9/86 first para., a method of investigating a host computer by using an investigation system … including … at least one investigative module.. ; p.15/86 the last para., investigative module make decision on if a process running on host computer is suspicious; p.16/86 the suspicious process can be xv. [a]ctive anti-forensics and other anti-detection features and methods), the method comprising:
	identifying a suspicious object from a plurality of objects on a computing device (p.16/86 the suspicious process [suspicious object] can be xv. [a]ctive anti-forensics and other anti-detection features and methods);
	monitoring actions performed by the suspicious object, wherein the actions comprise commands and requests originating from the suspicious object (p.40/86 para. 4, []n Investigation Module (3) may thus be configured to investigate the host computer (2) to search for processes [commands and requests] that have environment variables set that indicate anti-forensics [suspicious process] are in use. For example, the environment variable HISTFILE=/dev/null is a typical anti-forensic method. The Investigation Module (3) may be configured to analyze all running processes and if the Investigation Module (3) determines an environment variable indicates anti forensics are in operation, the investigation module (3) returns investigation data indicating the corresponding process is suspicious).
Rowland does not explicitly disclose:
	intercepting a first command by the suspicious object to create and/or modify a digital artifact on the computing device;
	subsequent to intercepting the first command, intercepting a second command by the suspicious object to delete at least one of the suspicious object and the digital artifact;
in response to intercepting both the first command to create and/or modify the digital artifact and the second command to delete at least one of the suspicious object and the digital artifact:
	blocking the second command; and
	storing the suspicious object and the digital artifact in a digital repository.
	However, in an analogous art, Lengyel teaches:
intercepting a first command by the suspicious object to create and/or modify a digital artifact on the computing device (Section 3.2.4, malware droppers is the rapid creation and deletion of temporary files"; Section 4.1 : "we obtained two additional temporary files created by the dropper in the "C:\Windows\System32\sysrep" folder: cryptbase.dll2 and syssetup.dll);
	subsequent to intercepting the first command, intercepting a second command by the suspicious object to delete at least one of the suspicious object and the digital artifact (Section 3.2.4, the carving of deleted files is implemented by intercepting specific internal kernel calls that are responsible for file deletion);
in response to intercepting both the first command to create and/or modify the digital artifact and the second command to delete at least one of the suspicious object and the digital artifact (Section 4.1, [t]hese temporary files were carved from memory as they were created by the dropper and never flushed to disk before deletion):
	blocking the second command (Section 3.2.4, [b]y parsing the handle table of the process we can locate the corresponding _FILE_OBJECT and automatically carve it from memory with Volatility; at least temporarily the command to delete the file has to be blocked in order to allow carving the file contents); and 
	storing the suspicious object and the digital artifact in a digital repository (Section 4.1, [a]fter submitting the files to VT; both the malware object and the carved files are stored at some point on the computer).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Rowland and Lengyel because it does not have to perform signature based scans, which improves resiliency as compared to existing forensics tools (Lengyel Section 3.2.1).


 Claims 2-5, 9-12 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Rowland and Lengyel, as applied to the claims above, and further in view of Urias et al. (US 20200042698 A1), hereinafter Urias.

	Regarding claims 2, 9 and 16, the combination of Rowland and Lengyel teaches all of the limitations of claims 1, 8 and 15 respectively as described above.
The combination of Rowland and Lengyel does not explicitly disclose storing contents of the digital repository with a backup of system and user data on the computing device. However, in an analogous art, Urias teaches storing contents of the digital repository with a backup of system and user data on the computing device (para. 0122, CIRM 402 intercepts communications between the VMs 430, 432, 434 and the hypervisors 420,422, extracts data from the intercepted communications and stores the extracted data in log files and extracted data component 408. In an embodiment, the CIRM reconstruct binary data from the extracted data and analyzes the binary data to extract forensic information. In an embodiment, the extracted data is collected and/or exported in a unified manner).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Rowland, Lengyel and Urias because it is used to predict probable consequences of activities corresponding to an event based on cognitive modeling and generate action step recommendations to eliminate or reduce impact of the probable consequences of the activities (Urias para. 0093).

	Regarding claims 3, 10 and 17, the combination of Rowland and Lengyel teaches all of the limitations of claims 1, 8 and 15 respectively as described above.
The combination of Rowland and Lengyel does not explicitly disclose further comprising: storing respective locations of the suspicious object and the digital artifact in the digital repository. However, in an analogous art, Urias teaches further comprising: storing respective locations of the suspicious object and the digital artifact in the digital repository (para. 0045-0047, 2) Data collection [for storing as shown in claim 2]: data integrity, data recovery, data location [location], imaging).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Rowland, Lengyel and Urias because it is used to predict probable consequences of activities corresponding to an event based on cognitive modeling and generate action step recommendations to eliminate or reduce impact of the probable consequences of the activities (Urias para. 0093).

	Regarding claims 4, 11 and 18, the combination of Rowland and Lengyel teaches all of the limitations of claims 1, 8 and 15 respectively as described above.
The combination of Rowland and Lengyel does not explicitly disclose further comprising: storing a record of all monitored actions of the suspicious object in the digital repository. However, in an analogous art, Urias teaches (para. 0095, Storage 108 is a network storage device capable of storing any type of data in a structured format or an unstructured format. In addition, storage 108 may represent a plurality of network storage devices. Further, storage 108 may store, for example, identifiers for a plurality of different client devices and client device users; identifiers for a plurality of different data sources; lists of events corresponding to different client device users; activity information corresponding to listed events; detected activity patterns in the collected information; activity context information extracted from the collected information; and the like. Furthermore, storage unit 108 may store other types of data, such as authentication or credential data that may include user names, passwords, and biometric data associated with client device users and system administrators, for example).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Rowland, Lengyel and Urias because it is used to predict probable consequences of activities corresponding to an event based on cognitive modeling and generate action step recommendations to eliminate or reduce impact of the probable consequences of the activities (Urias para. 0093).

	Regarding claims 5, 12 and 19, the combination of Rowland and Lengyel teaches all of the limitations of claims 1, 8 and 15 respectively as described above.
The combination of Rowland and Lengyel does not explicitly disclose wherein identifying the suspicious object from the plurality of objects on the computing device comprises: for each respective object of the plurality of objects: extracting a digital signature of the respective object; determining whether the digital signature of the respective object matches any trusted digital signature in a whitelist of digital signatures; and in response to determining that no match exists, identifying the respective object as the suspicious object. However, in an analogous art, Urias teaches wherein identifying the suspicious object from the plurality of objects on the computing device comprises: for each respective object of the plurality of objects: extracting a digital signature of the respective object; determining whether the digital signature of the respective object matches any trusted digital signature in a whitelist of digital signatures; and in response to determining that no match exists, identifying the respective object as the suspicious object (para. 0123, [a]nalyses of the data for criminal, anomalous, or threat indicators are accomplished by leveraging pattern recognition tool-chains with known signatures…).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Rowland, Lengyel and Urias because it is used to predict probable consequences of activities corresponding to an event based on cognitive modeling and generate action step recommendations to eliminate or reduce impact of the probable consequences of the activities (Urias para. 0093).

Claim Objection
	Claims 6, 7, 13, 14 and 20 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the
limitations of the base claims and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 


/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437