DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 11,038,908. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘908 patent include all the limitations of the instant claims.
Instant Application
US Patent No. 11,038,908
identifying, via a computer processor, a host operating system and an application architecture; (Claim 8)
identify a current environment for staging a cloud environment, wherein the current environment comprises one or more of an operating system, a host computer, and an application architecture; (Claim 11)
updating, via the computer processor, a set of forensic tools in a local repository; (Claim 8)
update forensic tools in a local repository…(Claim 11)
creating, via the computer processor, a forensic Virtual Private Cloud (VPC); (Claim 8)
create a forensic clean room Virtual Private Cloud (VPC)…(Claim 11)
deploying, via the computer processor, one or more pre-staged tools to object storage; (Claim 8)
…triage tools from an object storage; (Claim 11)
and creating, via the computer processor, an encrypted volume to store the set of forensic tools. (Claim 8)
and create encrypted volume to store a forensic toolset of live response scripts and triage tools from an object storage; (Claim 11)


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the memory component" in line 4.  There is insufficient antecedent basis for this limitation in the claim.
Claims 2-14 are rejected based on their dependence upon claim 1.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because the claims are drawn to a non-transient computer readable medium that has not been defined by the specification. The broadest reasonable interpretation (“BRI”) of a compute readable medium can encompass non-statutory transitory forms of signal transmission, such as propagating electrical or electromagnetic signal per se. See In re Nuijten, 500 F.3d 1346, 84 USPQ2d 1495 (Fed. Cir. 2007). When the BRI encompasses transitory forms of signal transmission, a rejection under 35 U.S.C. 101 as failing to claim statutory subject matter would be appropriate because claims directed to non-statutory transitory forms of signal transmission would not be considered to fall within at least one of the four categories of patent eligible subject matter (See MPEP 2106.03).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4-8, 11-15, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zimmermann, U.S. Publication No. 2018/0027006, in view of Gallant, U.S. Publication No. 2015/0271208. Referring to claims 1, 8, 15, Zimmermann discloses an enterprise computing environment that includes a cyber intelligence platform that collects data across various platforms ([0560]) and stores the collected ([0589]), which meets the limitation of a central data repository that stores and maintains data. The system includes a user interface that allows for the user to provide input ([0372]), which meets the limitation of an interactive user interface that receives an input. The system includes a processor and memory that includes instructions to implement the functionality of the system ([0597]), which meets the limitation of a processor, coupled to the memory component and the interactive interface, configured to perform the steps. The platform includes a discovery process for the corporate environment that will be implementing the cloud based protection ([0117]) such that the platform creates logs for Linux hosts in the system ([0522]), which meets the limitation of identifying a host operating system. The discovery process involves the discovery of third-party apps that directly connect to the corporate environment ([0117]), which meets the limitation of identifying an application architecture. The platform allows for the adding ([0108]) of connector packages for specific external systems that allow the platform to collect data from those specific external systems ([0556]) and the platform additionally allows for the configuring of scripts to the platforms ([0556]), which meets the limitation of update a set of forensic tools in a local repository. The platform creates Virtual Private Clouds (VPCs) in order to separate subsystems into different virtual networks ([0323]), which meets the limitation of create a forensic Virtual Private Cloud (VPC). 
Zimmermann discloses that the platform additionally allows for the configuring of scripts to the platforms ([0556]). However, Zimmermann does not specify that scripts are securely stored. Gallant discloses analysis scripts ([0044]) that are securely stored in secure non-volatile memory ([0079]-[0080]), which meets the limitation of deploying one or more pre-staged tools to object storage, and creating an encrypted volume to store a forensic toolset. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the scripts of Zimmerman to have been securely stored in order to provide tamper resistant storage for the scripts in a manner that limits access as suggested by Gallant ([0064]).
Referring to claims 4, 11, 18, Zimmermann discloses that the cyber intelligence platform performs monitoring and analysis on user activity and event data stored in logs ([0124]), which meets the limitation of monitoring evidence volume. Event log data includes event source information that may indicate a particular service provider ([0174]-[0175]: event data transferred from service provider to event log reads on the transferring artifacts from completed tasks since the event log data can be source from API calls to various service providers), which meets the limitation of transferring artifacts from completed tasks to evidence volume computed directory. Event data can be retained in long-term storage ([0172]), which meets the limitation of transferring artifact archive to long term forensic evidence storage. The collected event data is utilized to create a native event format for the cyber intelligence platform ([0560]: the utilization of the event data to create an event format shows that the forensic aspects have terminated such that the event data is being used to create an event format which can be considered a legacy forensic tool set), which meets the limitation of terminating forensics compute and instances and associated volumes and snapshots, and ingesting artifacts into legacy forensic tool set.
Referring to claims 5, 12, 19, Zimmermann discloses that the collected behavior based information, is collected can be collected from external systems using scripts ([0556]), which meets the limitation of running a collection script. Event log data can be retained for a predefined time period ([0175]), which meets the limitation of archiving an output for a predetermined period of time. The platform includes an anomaly detection engine that utilizes multiple algorithms to investigate and detect outlying anomalies ([0255] & [0564]-[0566]) such that the events utilized can include resource deletion ([0262] & [0311]), which meets the limitation of recognizing an indication of compromise post-instance destruction, initiating an investigation.
Referring to claims 6, 13, Zimmermann discloses that event data is collected stored in event logs ([0174]-[0175]), which meets the limitation of creating an evidence storage volume. The platform includes an anomaly detection engine that utilizes multiple algorithms to investigate and detect outlying anomalies ([0564]-[0566]: claims do not define any particular functionality of the claimed timeline, memory triage, extractor, malware, and search task against volume snapshots. Therefore, any executable, such as Zimmermann’s plurality of algorithms, would read on the claim limitation addressed above), executing a timeline, a memory triage, an extractor, a malware, and a search task against volume snapshots. The event log may additionally include admin activity such as admin actions ([0262]: admin actions can be considered live responses), which meets the limitation of moving live response artifacts to evidence volume.
Zimmermann discloses that the platform additionally allows for the configuring of scripts to the platforms ([0556]). However, Zimmermann does not specify that scripts are securely stored. Gallant discloses analysis scripts ([0044]) that are securely stored in secure non-volatile memory ([0079]-[0080]), which meets the limitation of attaching the encrypted volume to store the set of forensic tools. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the scripts of Zimmerman to have been securely stored in order to provide tamper resistant storage for the scripts in a manner that limits access as suggested by Gallant ([0064]).
Referring to claims 7, 14, Zimmermann discloses an interface that includes an element for action selection (Figure 52), which meets the limitation of wherein the processor is further configured to ingest live response artifacts into a search and visualization tool.
Referring to claim 20, Zimmermann discloses that event data is collected stored in event logs ([0174]-[0175]), which meets the limitation of creating an evidence storage volume. The platform includes an anomaly detection engine that utilizes multiple algorithms to investigate and detect outlying anomalies ([0564]-[0566]: claims do not define any particular functionality of the claimed timeline, memory triage, extractor, malware, and search task against volume snapshots. Therefore, any executable, such as Zimmermann’s plurality of algorithms, would read on the claim limitation addressed above), executing a timeline, a memory triage, an extractor, a malware, and a search task against volume snapshots. The event log may additionally include admin activity such as admin actions ([0262]: admin actions can be considered live responses), which meets the limitation of moving live response artifacts to evidence volume. Zimmermann discloses an interface that includes an element for action selection (Figure 52), which meets the limitation of wherein the processor is further configured to ingest live response artifacts into a search and visualization tool.
Zimmermann discloses that the platform additionally allows for the configuring of scripts to the platforms ([0556]). However, Zimmermann does not specify that scripts are securely stored. Gallant discloses analysis scripts ([0044]) that are securely stored in secure non-volatile memory ([0079]-[0080]), which meets the limitation of attaching the encrypted volume to store the set of forensic tools. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the scripts of Zimmerman to have been securely stored in order to provide tamper resistant storage for the scripts in a manner that limits access as suggested by Gallant ([0064]).
Claims 2, 9, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Zimmermann, U.S. Publication No. 2018/0027006, in view of Gallant, U.S. Publication No. 2015/0271208, and further in view of Ennis Jr, U.S. Patent No. 10,148,493. Referring to claims 2, 9, 16, Zimmermann discloses that the platform creates Virtual Private Clouds (VPCs) in order to separate subsystems into different virtual networks ([0323]). 
Zimmermann does not disclose that the VPCs are generated using a cloud infrastructure service API. Ennis Jr discloses the utilization of an API gateway to perform VPC creation (Col. 8, lines 50-62) such that the API gateway provides network policy and configuration management for public cloud environments (Col. 6, lines 40-50), which meets the limitation of wherein the processor is further configured to create the VPC by using a cloud infrastructure service API. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the enterprise computing environment of Zimmermann to have utilized an API gateway for the creation of VPCs in order to facilitate improved integration with cloud services as suggested by Ennis Jr (Col. 6, lines 26-50). 
Allowable Subject Matter
Claims 3, 10, 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN E LANIER/          Primary Examiner, Art Unit 2437