SYSTEMS AND METHODS FOR CLOUD-BASED COLLECTION AND PROCESSING OF DIGITAL FORENSIC EVIDENCE

§103 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office Action is in response to Application 18941731 filed on 03/03/2025. Claims 21, 28, and 36 are independent claims. Claim 1-20 have been cancelled without prejudice. Claims 21-38 were currently amended via the preliminary amendments. Claims 21-38 have been examined and are pending in this application. This Office Action is made Non-Final. Claim Objections Claims 21-22 are objected to because of the following informality: Claim 21 recites the limitations “the device configured to request a forensic investigation of the target device;” (emphasis added). For better clarity, it’s suggested that the aforementioned limitations be further amended to “the investigation requestor computing device configured to request a forensic investigation of the target device;” (emphasis added). Claim 21 recites the limitations “selecting search criteria for the investigation.” For better clarity, it’s suggested that the aforementioned limitations be further amended to “selecting search criteria for the forensic investigation.” Claim 22 recites the limitations “wherein the investigation requestor device logs in to a website to request the forensic investigation and to select the search criteria.” To properly recite components and associated functions of a claimed system, it’s suggested that the aforementioned limitations be further amended to “wherein the investigation requestor computing device configured to logs in to a website to request the forensic investigation and to select the search criteria.” Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 21-25, 28-33, and 36 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-16 of U.S. Patent No. 12,141,272. Although the claims at issue are not identical, they are not patentably distinct from each other because: The examiner notes that Claims 1-16 of U.S. patent No. 12,141,272 anticipates, more specifically: Instant Application 18/941,731 US patent No. 12,141,272 Claim 21. A system for conducting a cloud-based, forensic investigation to find and collect evidence within electronically-stored information, the system comprising: a target device of the cloud-based forensic investigation, wherein the target device comprises electronically-stored information; an investigation requestor computing device, comprising executable instructions stored in at least one memory and at least one processor to execute the instructions, the device configured to request a forensic investigation of the target device; including: selecting search criteria for the investigation, wherein the search criteria specify one or more selectable forensic artifact types to find on and collect from the target device; and configuring an evidence collection module using the search criteria, the evidence collection module operable, wherein the evidence collection module is generated and provided as a link accessed at the target device, wherein a deployable agent is downloaded and executed from the link, and wherein once downloaded, the deployable agent is configured to: search the electronically-stored information to find forensic artifacts of the one or more forensic artifact types on the target device according to the search criteria; collect the forensic artifacts from the target device; establish a connection to a cloud server configured to store the forensic artifacts; and transmit the forensic artifacts to the cloud server for storage; a cloud-based evidence-processing service executed by or in communication with the cloud server and configured to retrieve and analyze the forensic artifacts and generate an initial report. Claim 1. A system for conducting a cloud-based, forensic investigation to find and collect evidence within electronically-stored information of a target, the system comprising: at least one remote system of the target of the cloud-based forensic investigation, wherein the at least one remote system comprises electronically-stored information; an investigation requestor computing device, comprising executable instructions stored in at least one memory and at least one processor to execute the instructions, the device configured to request a forensic investigation of the at least one remote system; including: selecting search criteria for the investigation, wherein the search criteria specify one or more selectable forensic artifact types to find on and collect from the remote system; and configuring an evidence collection module using the search criteria, the evidence collection module operable, once configured, to: search the electronically-stored information to find forensic artifacts of the one or more forensic artifact types on the at least one remote system according to the search criteria, wherein the at least one remote system is a target endpoint device, and wherein the evidence collection module is a deployable agent comprising an executable program embedded with the search criteria that is deployed to the target endpoint device to search for the forensic artifacts and the deployable agent automatically deletes from the target endpoint system; collect the forensic artifacts from the at least one remote system; establish a connection to a cloud server configured to store the forensic artifacts; and transmit the forensic artifacts to the cloud server for storage; a cloud-based evidence-processing service executed by or in communication with the cloud server and configured to retrieve and analyze the forensic artifacts and generate an initial report. Claim 28. A method of conducting a cloud-based, forensic investigation to find evidence within electronically-stored information of a target device, the method comprising: receiving, at a cloud server, search criteria for forensic artifacts within electronically-stored information of the target device of the cloud-based forensic investigation from an investigation requestor device, wherein the search criteria specify one or more selectable forensic artifact types to find and collect from the target device to acquire evidence for the forensic investigation; configuring an evidence collection module using the search criteria; generating and providing a link which can be accessed on the target device to download the evidence collection module as a deployable agent comprising an executable program embedded with the search criteria, wherein once downloaded the evidence collection module is operable to: search the electronically-stored information to find forensic artifacts of the one or more forensic artifact types on the target device-according to the search criteria; collect the forensic artifacts from the target device; establish a connection to a cloud server configured to store the forensic artifacts; and transmit the forensic artifacts to the cloud server for storage; processing the forensic artifacts using a cloud-based evidence processing service; and generating a digital report based on the processed forensic artifacts. Claim 7. A method of conducting a cloud-based, forensic investigation to find evidence within electronically-stored information of a target, the method comprising: receiving at a cloud server search criteria for forensic artifacts within electronically-stored information of at least one remote system of the target of the cloud-based forensic investigation from an investigation requestor device, wherein the search criteria specify one or more selectable forensic artifact types to find and collect from the at least one remote system to acquire evidence for the forensic investigation; configuring an evidence collection module using the search criteria, the evidence collection module operable, once configured, to: search the electronically-stored information to find forensic artifacts of the one or more forensic artifact types on the at least one remote system according to the search criteria, wherein the at least one remote system is a target endpoint device, and wherein the evidence collection module is a deployable agent comprising an executable program embedded with the search criteria that is deployed to the target endpoint device to search for the forensic artifacts and the deployable agent automatically deletes from the target endpoint system; collect the forensic artifacts from the at least one remote system; establish a connection to a cloud server configured to store the forensic artifacts; and transmit the forensic artifacts to the cloud server for storage; processing the forensic artifacts using a cloud-based evidence processing service; and generating a digital report based on the processed forensic artifacts. Claim 36. A system for conducting a cloud-based, forensic investigation to find evidence within electronically-stored information, the system comprising: a target computing device comprising at least one memory for storing electronically-stored information; a cloud server configured to: receive search criteria from an investigation requestor device, the investigation requestor device being a client device or a forensic provider device, wherein the search criteria specify one or more forensic artifact types to find on and collect from the remote system to acquire evidence for the forensic investigation; configure an evidence collection module using the received search criteria, wherein the at least one remote system is a target endpoint device, and; initiate evidence collection from the target device using the configured evidence collection module, wherein the evidence collection module is a deployable agent comprising an executable program embedded with the search criteria that is deployed to the target endpoint device to search for the forensic artifacts, wherein the deployable agent is accessed and downloaded via a link; store a forensic artifact collected by the configured evidence collection module; analyze the forensic artifact using an evidence processing module; and generate a digital report from an output of the evidence processing module. Claim 16. A system for conducting a cloud-based, forensic investigation to find evidence within electronically-stored information of a target, the system comprising: a target computing device comprising at least one memory for storing electronically-stored information; a cloud server configured to: receive search criteria from an investigation requestor device, the investigation requestor device being a client device or a forensic provider device, wherein the search criteria specify one or more forensic artifact types to find on and collect from the remote system to acquire evidence for the forensic investigation; configure an evidence collection module using the received search criteria, wherein the at least one remote system is a target endpoint device, and initiate evidence collection from the target device using the configured evidence collection module; wherein the evidence collection module is a deployable agent comprising an executable program embedded with the search criteria that is deployed to the target endpoint device to search for the forensic artifacts and the deployable agent automatically deletes from the target endpoint system; store a forensic artifact collected by the configured evidence collection module; analyze the forensic artifact using an evidence processing module; and generate a digital report from an output of the evidence processing module. The examiner notes that the features emphasized above anticipate what is claimed in the limitations of Claims 1-16 of the Instant Application. Therefore, the claims are rejected under nonstatutory double patenting. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 21, 23-24, 26-29, 31, and 33-38 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. (“Vashisht,” US 20190207966, published on 07/04/2019) in view of Zhou et al. ("Zhou,” US 20200274825, filed on 02/21/2019). Regarding Claim 21; Vashisht discloses a system for conducting a cloud-based, forensic investigation to find and collect evidence within electronically-stored information, the system comprising (par 0022; cybersecurity intelligence between a cybersecurity intelligence hub located as a public or private cloud-based service and other cybersecurity sources and consumers; par 0025; the global data store includes meta-information associated with analyzed or unanalyzed artifacts [] cybersecurity source provides, via a network device, cybersecurity intelligence utilized by highly trained experts such as cybersecurity analysts, forensic analysts): a target device of the cloud-based forensic investigation, wherein the target device comprises electronically-stored information (par 0020; meta-information associated with an “artifact” (i.e., an object, an event, indicator of compromise, or other information that subjected to cybersecurity analyses), which received from a plurality of different network devices operating as cybersecurity intelligence source; par 0023; each of the network devices corresponds to a cybersecurity intelligence source or a cybersecurity intelligence consumer; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts or machine-learning driven forensic engines, which is used to formulate models for use by certain types of cybersecurity sensors in classifying an artifact as malicious or benign): an investigation requestor computing device, comprising executable instructions stored in at least one memory and at least one processor to execute the instructions, the device configured to request a forensic investigation of the target device; including (par 0109; processing component that is configured to execute logic maintained within the non-transitory storage medium operating as a memory; par 0025; cybersecurity intelligence utilized by highly trained experts such as cybersecurity analysts, forensic analysts): selecting search criteria for the investigation, wherein the search criteria specify one or more selectable forensic artifact types to find on and collect from the target device (par 0029; when the artifact is an object or a process behavior or other event related to an identified object, the distinctive metadata includes a hash value of the object (object ID), which may operate as a search index for stored meta-information within the global data store. The logic within the DMAE of the cybersecurity intelligence hub attempts to determine whether the object ID matches (e.g., is identical or has a prescribed level of correlation with) a stored object ID; par 0104; cybersecurity providers upload meta-information into the global data store and conduct searches for certain stored meta-information within the global data store. As an example, a security administrator initiate a query in accordance with a selected search syntax to retrieve reclassified verdicts as described herein, meta-information associated with certain artifact types); and configuring an evidence collection module using the search criteria, the evidence collection module operable, wherein the evidence collection module is generated and provided at the target device, wherein a deployable agent is downloaded and executed, and wherein once downloaded, the deployable agent is configured to (par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator (or customer) in updating its system resources (e.g., data store(s) in affected sensors, local data store(s) in affected endpoints): search the electronically-stored information to find forensic artifacts of the one or more forensic artifact types on the target device according to the search criteria (par 0029; a search index for stored meta-information within the global data store. The logic within the DMAE of the cybersecurity intelligence hub attempts to determine whether the object ID matches a stored object ID; par 0104; cybersecurity providers upload meta-information into the global data store and conduct searches for certain stored meta-information within the global data store. As an example, a security administrator initiate a query in accordance with a selected search syntax to retrieve reclassified verdicts as described herein, meta-information associated with certain artifact types); collect the forensic artifacts from the target device (par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator (or customer) in updating its system resources (e.g., data store(s) in affected sensors, local data store(s) in affected endpoints); establish a connection to a cloud server configured to store the forensic artifacts (par 0023; the cybersecurity intelligence hub operate as (i) a central facility connected via a network to receive meta-information from the sources; (ii) an intelligence analytics resource to analyze the received meta-information, including results from an analysis of meta-information or artifacts received from disparate sources, and store the analysis results with the received meta-information; and/or (iii) a central facility serving as a distribution hub connected via a network to distribute the stored meta-information to the consumers); and transmit the forensic artifacts to the cloud server for storage (par 0023; the cybersecurity intelligence hub operate as (i) a central facility connected via a network to receive meta-information from the sources; (ii) an intelligence analytics resource to analyze the received meta-information, including results from an analysis of meta-information or artifacts received from disparate sources, and store the analysis results with the received meta-information; and/or (iii) a central facility serving as a distribution hub connected via a network to distribute the stored meta-information to the consumers); a cloud-based evidence-processing service executed by or in communication with the cloud server and configured to retrieve and analyze the forensic artifacts and generate an initial report (par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report). Vashisht discloses configuring an evidence collection module using the search criteria, the evidence collection module operable, wherein the evidence collection module is generated and provided at the target device, wherein a deployable agent is downloaded and executed, and wherein once downloaded, the deployable agent is configured to as recited above, but do not explicitly disclose provided as a link accessed; executed from the link. However, in an analogous art, Zhou discloses network monitoring system/method that includes: provided as a link accessed (Zhou: par 0048; the traffic information to be performed at designated access points in the production network. For example, the designated access points include a port on a production node for transmitting traffic information to a device); executed from the link (Zhou: par 0070; execute a first command (e.g., upload virtual tool) from a monitor that is coupled to the controller computer. The first command may execute to retrieve a copy of software that embodies the virtual tool. The virtual tool retrieved from a vendor computer and stored in a tool market in the database. The command may retrieve the virtual tool by utilizing a network link (e.g., connected to Internet) that enables a connection from the controller computer to a vendor computer). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Zhou with the method/system of Vashisht to include provided as a link accessed; executed from the link. One would have been motivated to monitor with one or more tools. The tools utilized to identify a problem, design a work-around to avoid the problem, and test a long-term solution that solves the problem (Zhou: par 0002). Regarding Claim 23; The combination of Vashisht and Zhou disclose the system of claim 21, Vashisht discloses wherein the cloud-based evidence-processing service analyzes the forensic artifacts upon collection of the forensic artifacts from the target device (Vashisht: par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device. where the artifact is provided from the network device). Zhou further discloses automatically analyzes (Zhou: par 0197; automatic analysis of the production network information stored in the database. For example, the controller computer automatically configure multiple switches in the network monitoring fabric to forward a second portion of the traffic information). The motivation is the same that of claim 21 above. Regarding Claim 24; The combination of Vashisht and Zhou disclose the system of claim 21, Vashisht disclose wherein the forensic artifacts are flagged by the cloud-based evidence-processing service within the initial report (Vashisht: par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report; par 0134; providing a report identifying these incorrect verdicts via the portal). Regarding Claim 26; The combination of Vashisht and Zhou disclose the system of claim 21 Zhou discloses wherein the link is a first link, and the first link is a single use link (Zhou: par 0116; a link aggregation group has member links that operate as a single logical link). The motivation is the same that of claim 21 above. Regarding Claim 27; The combination of Vashisht and Zhou disclose the system of claim 26 Zhou discloses wherein the investigation requestor computing device requests creation of a second link when the first link has been accessed (Zhou: par 0109; The first instance of the first virtual tool is connected over a fabric link (e.g., first fabric link) to a switch. In like manner, the second instance of the first virtual tool is connected over a fabric link (e.g., second fabric link to the switch). The motivation is the same that of claim 21 above. Regarding Claim 28; Vashisht discloses a method of conducting a cloud-based, forensic investigation to find evidence within electronically-stored information of a target device, the method comprising (par 0022; cybersecurity intelligence between a cybersecurity intelligence hub located as a public or private cloud-based service and other cybersecurity sources and consumers; par 0025; the global data store includes meta-information associated with analyzed or unanalyzed artifacts [] cybersecurity source provides, via a network device, cybersecurity intelligence utilized by highly trained experts such as cybersecurity analysts, forensic analysts): receiving, at a cloud server, search criteria for forensic artifacts within electronically-stored information of the target device of the cloud-based forensic investigation from an investigation requestor device, wherein the search criteria specify one or more selectable forensic artifact types to find and collect from the target device to acquire evidence for the forensic investigation (par 0020; meta-information associated with an “artifact” (i.e., an object, an event, indicator of compromise, or other information that subjected to cybersecurity analyses), which received from a plurality of different network devices operating as cybersecurity intelligence sources; 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts or machine-learning driven forensic engines, which is used to formulate models for use by certain types of cybersecurity sensors in classifying an artifact as malicious or benign; par 0029; when the artifact is an object or a process behavior or other event related to an identified object, the distinctive metadata includes a hash value of the object (object ID), which may operate as a search index for stored meta-information within the global data store. The logic within the DMAE of the cybersecurity intelligence hub attempts to determine whether the object ID matches (e.g., is identical or has a prescribed level of correlation with) a stored object ID; par 0104; cybersecurity providers upload meta-information into the global data store and conduct searches for certain stored meta-information within the global data store. As an example, a security administrator initiate a query in accordance with a selected search syntax to retrieve reclassified verdicts as described herein, meta-information associated with certain artifact types); configuring an evidence collection module using the search criteria (par 0029; determine whether the object ID matches (e.g., is identical or has a prescribed level of correlation with) a stored object ID; par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator in updating its system resources); generating and providing accessed on the target device to download the evidence collection module as a deployable agent comprising an executable program embedded with the search criteria, wherein once downloaded the evidence collection module is operable to (par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator (or customer) in updating its system resources (e.g., data store(s) in affected sensors, local data store(s) in affected endpoints): search the electronically-stored information to find forensic artifacts of the one or more forensic artifact types on the target device-according to the search criteria (par 0029; a search index for stored meta-information within the global data store. The logic within the DMAE of the cybersecurity intelligence hub attempts to determine whether the object ID matches a stored object ID; par 0104; cybersecurity providers upload meta-information into the global data store and conduct searches for certain stored meta-information within the global data store. As an example, a security administrator initiate a query in accordance with a selected search syntax to retrieve reclassified verdicts as described herein, meta-information associated with certain artifact types); collect the forensic artifacts from the target device (par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator (or customer) in updating its system resources (e.g., data store(s) in affected sensors, local data store(s) in affected endpoints); establish a connection to a cloud server configured to store the forensic artifacts (par 0023; the cybersecurity intelligence hub operate as (i) a central facility connected via a network to receive meta-information from the sources; (ii) an intelligence analytics resource to analyze the received meta-information, including results from an analysis of meta-information or artifacts received from disparate sources, and store the analysis results with the received meta-information; and/or (iii) a central facility serving as a distribution hub connected via a network to distribute the stored meta-information to the consumers); and transmit the forensic artifacts to the cloud server for storage (par 0023; the cybersecurity intelligence hub operate as (i) a central facility connected via a network to receive meta-information from the sources; (ii) an intelligence analytics resource to analyze the received meta-information, including results from an analysis of meta-information or artifacts received from disparate sources, and store the analysis results with the received meta-information; and/or (iii) a central facility serving as a distribution hub connected via a network to distribute the stored meta-information to the consumers); processing the forensic artifacts using a cloud-based evidence processing service (par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report); and generating a digital report based on the processed forensic artifacts (par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report). Vashisht discloses generating and providing accessed on the target device to download the evidence collection module as a deployable agent comprising an executable program embedded with the search criteria, wherein once downloaded the evidence collection module is operable to as recited above, but do not providing a link which can be accessed. However, in an analogous art, Zhou discloses network monitoring system/method that includes: providing a link which can be accessed (Zhou: par 0048; the traffic information to be performed at designated access points in the production network. For example, the designated access points include a port on a production node for transmitting traffic information to a device); Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Zhou with the method/system of Vashisht to include providing a link which can be accessed. One would have been motivated to monitor with one or more tools. The tools utilized to identify a problem, design a work-around to avoid the problem, and test a long-term solution that solves the problem (Zhou: par 0002). Regarding Claim 29; The combination of Vashisht and Zhou disclose the method of claim 28, Vashisht discloses wherein the search criteria is selected by a client (Vashisht: par 0135; an authorized requester initiate a search with select search parameters to retrieve meta-information). Regarding Claim 31; The combination of Vashisht and Zhou disclose the method of claim 28, Vashisht discloses wherein selecting search criteria by a client further includes selecting search criteria from options provided by the forensic service provider (Vashisht: par 0021; a request from a network device operating as a cybersecurity intelligence consumer, a portion of meta-information pertaining to a prior evaluated artifact corresponding to the monitored artifact provided to the requesting cybersecurity intelligence consumer; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0135; an authorized requester initiate a search with select search parameters to retrieve meta-information). Zhou further discloses from pre-determined options (Zhou: par 0104; automatically scales the virtual tool based on a predetermined threshold associated with the virtual tool). The motivation is the same that of claim 28 above. Regarding Claim 33; The combination of Vashisht and Zhou disclose the method of claim 28, Vashisht discloses wherein at least one artifact of interest is flagged for review (Vashisht: par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report; par 0134; providing a report identifying these incorrect verdicts via the portal). Regarding Claim 34; This Claim recites a method that perform the same steps as system of Claim 26, and has limitations that are similar to Claim 26, thus are rejected with the same rationale applied against claim 26. Regarding Claim 35; This Claim recites a method that perform the same steps as system of Claim 27, and has limitations that are similar to Claim 27, thus are rejected with the same rationale applied against claim 27. Regarding Claim 36; Vashisht discloses a system for conducting a cloud-based, forensic investigation to find evidence within electronically-stored information, the system comprising (par 0022; cybersecurity intelligence between a cybersecurity intelligence hub located as a public or private cloud-based service and other cybersecurity sources and consumers; par 0025; the global data store includes meta-information associated with analyzed or unanalyzed artifacts [] cybersecurity source provides, via a network device, cybersecurity intelligence utilized by highly trained experts such as cybersecurity analysts, forensic analysts): a target computing device comprising at least one memory for storing electronically-stored information (par 0109; processing component that is configured to execute logic maintained within the non-transitory storage medium operating as a memory; par 0025; cybersecurity intelligence utilized by highly trained experts such as cybersecurity analysts, forensic analysts): a cloud server configured to: receive search criteria from an investigation requestor device, the investigation requestor device being a client device or a forensic provider device, wherein the search criteria specify one or more forensic artifact types to find on and collect from the remote system to acquire evidence for the forensic investigation (par 0020; meta-information associated with an “artifact” (i.e., an object, an event, indicator of compromise, or other information that subjected to cybersecurity analyses), which received from a plurality of different network devices operating as cybersecurity intelligence sources; 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts or machine-learning driven forensic engines, which is used to formulate models for use by certain types of cybersecurity sensors in classifying an artifact as malicious or benign; par 0029; when the artifact is an object or a process behavior or other event related to an identified object, the distinctive metadata includes a hash value of the object (object ID), which may operate as a search index for stored meta-information within the global data store. The logic within the DMAE of the cybersecurity intelligence hub attempts to determine whether the object ID matches (e.g., is identical or has a prescribed level of correlation with) a stored object ID; par 0104; cybersecurity providers upload meta-information into the global data store and conduct searches for certain stored meta-information within the global data store. As an example, a security administrator initiate a query in accordance with a selected search syntax to retrieve reclassified verdicts as described herein, meta-information associated with certain artifact types); configure an evidence collection module using the received search criteria, wherein the at least one remote system is a target endpoint device (par 0029; determine whether the object ID matches (e.g., is identical or has a prescribed level of correlation with) a stored object ID; par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator in updating its system resources), and; initiate evidence collection from the target device using the configured evidence collection module, wherein the evidence collection module is a deployable agent comprising an executable program embedded with the search criteria that is deployed to the target endpoint device to search for the forensic artifacts, wherein the deployable agent is accessed and downloaded (par 0029; a search index for stored meta-information within the global data store. The logic within the DMAE of the cybersecurity intelligence hub attempts to determine whether the object ID matches a stored object ID; par 0104; cybersecurity providers upload meta-information into the global data store and conduct searches for certain stored meta-information within the global data store. As an example, a security administrator initiate a query in accordance with a selected search syntax to retrieve reclassified verdicts as described herein, meta-information associated with certain artifact types; par 0134; collect and provide consolidated meta-information associated with the corrected verdicts to one or more cybersecurity sensors associated with the affected customers via path. This consolidated meta-information updates each sensor's data store with the corrected verdicts, and each sensor provide at least a portion of consolidated meta-information to their supported endpoints. Also, the downloaded, consolidated meta-information assists an administrator (or customer) in updating its system resources (e.g., data store(s) in affected sensors, local data store(s) in affected endpoints); store a forensic artifact collected by the configured evidence collection module (par 0023; the cybersecurity intelligence hub operate as (i) a central facility connected via a network to receive meta-information from the sources; (ii) an intelligence analytics resource to analyze the received meta-information, including results from an analysis of meta-information or artifacts received from disparate sources, and store the analysis results with the received meta-information; and/or (iii) a central facility serving as a distribution hub connected via a network to distribute the stored meta-information to the consumers); analyze the forensic artifact using an evidence processing module (par 0023; the cybersecurity intelligence hub operate as (i) a central facility connected via a network to receive meta-information from the sources; (ii) an intelligence analytics resource to analyze the received meta-information, including results from an analysis of meta-information or artifacts received from disparate sources, and store the analysis results with the received meta-information; and/or (iii) a central facility serving as a distribution hub connected via a network to distribute the stored meta-information to the consumers); and generate a digital report from an output of the evidence processing module (par 0064; the cybersecurity intelligence hub located at an enterprise's premises [] and provided as a service over a public or private cloud-based services; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0073; each cybersecurity sensor is configured to communicate with the cybersecurity intelligence hub in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report). Vashisht discloses initiate evidence collection from the target device using the configured evidence collection module, wherein the evidence collection module is a deployable agent comprising an executable program embedded with the search criteria that is deployed to the target endpoint device to search for the forensic artifacts, wherein the deployable agent is accessed and downloaded via a link as recited above, but do not access and downloaded via a link. However, in an analogous art, Zhou discloses network monitoring system/method that includes: accessed and downloaded via a link (Zhou: par 0048; the traffic information to be performed at designated access points in the production network. For example, the designated access points include a port on a production node for transmitting traffic information to a device). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Zhou with the method/system of Vashisht to include accessed and downloaded via a link. One would have been motivated to monitor with one or more tools. The tools utilized to identify a problem, design a work-around to avoid the problem, and test a long-term solution that solves the problem (Zhou: par 0002). Regarding Claim 37; This Claim recites a system that perform the same steps as system of Claim 26, and has limitations that are similar to Claim 26, thus are rejected with the same rationale applied against claim 26. Regarding Claim 38; This Claim recites a system that perform the same steps as system of Claim 27, and has limitations that are similar to Claim 27, thus are rejected with the same rationale applied against claim 27. Claims 22 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. (US 20190207966) in view of Zhou et al. (US 20200274825), and further in view of Alasia et al. (“Alasia,” US 20050276442, published on 12/15/2005) Regarding Claim 22; The combination of Vashisht and Zhou disclose the system of claim 21, Vashisht discloses wherein the investigation requestor device request the forensic investigation and to select the search criteria (Vashisht: par 0021; a request from a network device operating as a cybersecurity intelligence consumer, a portion of meta-information pertaining to a prior evaluated artifact corresponding to the monitored artifact provided to the requesting cybersecurity intelligence consumer; par 0067; the forensic analysis intelligence includes cybersecurity intelligence gathered by forensic analysts; par 0135; an authorized requester initiate a search with select search parameters to retrieve meta-information). The combination of Vashisht and Zhou disclose device request the forensic investigation and to select the search criteria as recited above, but do not explicitly disclose device logs in to a website to request. However, in an analogous art, Alasia discloses network based object authentication system/method that includes: device logs in to a website to request (Alasia: par 0051; connect to the network (e.g., by logging into an Internet website) for [] request). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Alasia with the method/system of Vashisht and Zhou to include device logs in to a website to request. One would have been motivated to the authentication processor co-located with the inspection site and some or all of the authentication processor remote from the inspection site. The authentication processor connected to the image acquisition device over a network (Alasia: par 0032). Regarding Claim 30; This Claim recites a method that perform the same steps as system of Claim 22, and has limitations that are similar to Claim 22, thus are rejected with the same rationale applied against claim 22. Claims 25 and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. (US 20190207966) in view of Zhou et al. (US 20200274825), and further in view of Hecht et al. (“Hecht,” US 20190207772, published on 07/04/2019) Regarding Claim 25; The combination of Vashisht and Zhou disclose the system of claim 21, Vashisht discloses wherein the initial report is generated by the cloud-based evidence-processing service and sent to the forensic service provider (Vashisht: par 0073; in response to receiving, for analysis, a submission (e.g., meta-information and/or artifact) from a network device; par 0134; cybersecurity provider or customer may periodically issue a request message for updated verdicts via the portal; par 0133; upon completion of the analysis and in according with a push notification scheme, the reclassification notification plug-in deployed within the DMAE notify a contact for the customer, via a report). The combination of Vashisht and Zhou disclose report is generated by the cloud-based evidence-processing service as recited above, but do not explicitly disclose report is generated automatically. However, in an analogous art, Hecht discloses network scan system/method that includes: report is generated automatically (Hecht: par 0077; automatically generating a forensics report regarding activity). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hecht with the method/system of Vashisht and Zhou to include report is generated automatically. One would have been motivated to executed by at least one processor, the instructions can cause the at least one processor to perform operations for identifying potentially compromised cloud-based access information (Hecht: par 0007). Regarding Claim 32; This Claim recites a method that perform the same steps as system of Claim 25, and has limitations that are similar to Claim 25, thus are rejected with the same rationale applied against claim 25. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644. The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /C.W./Examiner, Art Unit 2439 /LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439