DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-7 and 13-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Cisler et al. (2011/0083098).
Regarding claim 1:
Cisler teaches:
A method for cross-referencing forensic snapshots over time, the method comprising:
 receiving a first snapshot of a computing device at a first time and a second snapshot of the computing device at a second time [par 19, 49, 50, 61 – the term view is used interchangeably with snapshot]; 
applying a pre-defined filter to the first snapshot and the second snapshot, wherein the pre-defined filter includes a list of files that are to be extracted from each snapshot [par 53, 54 – filters particular elements to monitor and consider to detect changes]; 
subsequent to applying the pre-defined filter, identifying differences in the list of files extracted from the first snapshot and the second snapshot [par 53, 54, 75 – changes in files of the capture views are identified]; 
creating a change map for the computing device that comprises the differences in the list of files over a period of time, wherein the period of time comprises the first time and the second time [par 55-57, 75, 78 – changes identified, variations of a change map highlighting the differences are created, e.g. timeline view, item listing, etc.] ; and 
outputting the change map in a user interface [fig 3-5;  par 55, 56].
Regarding claim 2:
Cisler teaches:
The method of claim 1, further comprising: 
receiving a third snapshot of the computing device at a third time; applying the pre-defined filter to the third snapshot [par 19, 49, 50, 61 – the actions are clearly repeated for multiple snapshots/views]; 
identifying differences in the list of files extracted from the second snapshot and the third snapshot [par 53, 54, 75]; 
modifying the change map for the computing device to further include differences in the list of files at the third time, wherein the period of time further comprises the third time [par 55-57, 75, 78 – both the timeline interface and the items list show multiple time instances and the differences in files among them].
Regarding claim 3:
Cisler teaches:
The method of claim 2, wherein the differences in the list of files at the third time is relative to the second time [par 53-57, 75, 78 – the timeline and list are shown on continuum allowing for multiple times to be compared relative to other times].
Regarding claim 4:
Cisler teaches:
The method of claim 2, wherein the differences in the list of files at the third time is relative to the first time [par 53-57, 75, 78].
Regarding claim 5:
Cisler teaches:
The method of claim 1, wherein the change map is visually outputted in a user interface as a timeline with a plurality of selectable time points each representing a snapshot of the computing device [fig 3, 4], further comprising: 
receiving a selection of a time point [par 69, 73, 75, 78]; and 
generating a window with respective differences between a filtered snapshot associated with the time point and a prior filtered snapshot [fig 4, 5; par 73, 75, 78].
Regarding claim 6:
Cisler teaches:
The method of claim 5, wherein the time point selected is the second time associated with the second snapshot, and wherein the window presents the differences in the list of files extracted from the first snapshot and the second snapshot [par 69, 73, 75, 78].
Regarding claim 7:
Cisler teaches:
The method of claim 5, wherein the window is interactive and presents drill-down analysis for each file in the respective differences [fig 4, 5; par 69, 75, 76].

Regarding claims 13-19:
The claims are rejected as the systems for performing the methods of claims 1-7.
Cisler further teaches a hardware processor [par 39].

Regarding claim 20:
The claim is rejected as the non-transitory computer readable medium storing instructions for performing the method of claim 1.
Cisler further teaches a computer program product comprising a medium and instructions [par 102].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Cisler in view of Reed et al. (2020/0004644).
Regarding claim 8:
See the teachings of Cisler outlined above.
Cisler does not explicitly teach outputting the change map in the user interface in response to detecting an error. Cisler does, however, teach that the change map in the user interface is in response to a desire to restore file data.
Reed teaches that recovery of data loss from backup data is performed in the case of error [par 2 – describes that data loss can occur from many types of corruption, hardware and software failure, human error, etc.].
It would have been obvious to one of ordinary skill in the art prior to the effective filing date to combine the recovery from backup in case of error of Reed with the backup and restoration of data of Cisler.
One of ordinary skill in the art prior to the effective filing date would have been motivated to make the recovery because Cisler teaches a method of backup and restoration of file system data using visualizations in a user interface. Reed explicitly teaches that such backup and recovery and visualizations for representing file system data are explicitly important in cases of data loss due to computer and/or human error detected in a computing device [par 2].

Allowable Subject Matter
Claims 9-12 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
‘968 to Bender et al. discloses performing snapshots and calculating a malware index value that indicates the probability of malware infection and performing an emergency snapshot in response to crossing an index threshold.
‘614 to Adduri et al. discloses taking filesystem snapshots, analyzing the difference among the snapshots to detect when data corruption has occurred and the fileset changes that might have caused the corruption, and providing a visualization of the timeline of those changes.
‘996 to Gathala et al. discloses a forensics client that receives instructions indicating portions of memory to monitor for changes and collecting snapshots in case of identified changes. A remote forensic analyzer receives the snapshots and performs forensic analysis on particular data types based on the collected information.
‘394 to Crofton et al. discloses a backup system the receives data backups, deduplicates the data to determine common files among the backed-up data sets, extracting common files from the backups and comparing the common files to detect changes based on a uniqueness value. The system can initiate mitigation actions based on major changes in shared/common rates of files among the backups.
‘338 to Brandwine discloses taking data captures at multiple time periods. The captures can be mounted in a forensic volume that is presented to a user in a GUI, and the user is able to mount different volumes to view the changes to the files over time to perform a forensic analysis.
Adelstein et al. (NPL) discloses techniques for filtering snapshots to remove uninteresting files from multiple snapshots to aid in efficient forensic analysis of the snapshots.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARC M DUNCAN whose telephone number is (571)272-3646. The examiner can normally be reached M-F 7-330.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on 571-272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MARC DUNCAN/Primary Examiner, Art Unit 2113