13025007 (P.T.A.B. Sep. 22, 2017)

Ex Parte Bronner et al

Patent Trial and Appeal BoardSep 22, 2017

13025007 (P.T.A.B. Sep. 22, 2017)

United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/025,007 02/10/2011 Derek P. Bronner 1032-020US01 1792 28863 7590 09/26/2017 SHUMAKER & SIEFFERT, P. A. 1625 RADIO DRIVE SUITE 100 WOODBURY, MN 55125 EXAMINER BUKHARI, SIBTE H ART UNIT PAPER NUMBER 2449 NOTIFICATION DATE DELIVERY MODE 09/26/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): pairdocketing @ ssiplaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte DEREK P. BRONNER, ROBERT A. JOYCE, MATTHEW P. DONOVAN, and JULIA A. BAKER Appeal 2016-004668 Application 13/025,0071 Technology Center 2400 Before ROBERT E. NAPPI, CATHERINE SHIANG, and JAMES W. DEJMEK, Administrative Patent Judges. DEJMEK, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from a Final Rejection of claims 1—32. We have jurisdiction over the pending claims under 35 U.S.C. § 6(b). We affirm-in-part. 1 Appellants identify Architecture Technology Corporation as the real party in interest. App. Br. 3. Appeal 2016-004668 Application 13/025,007 STATEMENT OF THE CASE Introduction Appellants’ disclosed and claimed invention is generally directed to techniques for remotely acquiring computer forensic evidence relating to a target computer. Spec. Tflf 1—5. According to the Specification, a “forensic investigative tool” is a configurable software tool that allows an investigator to select various forensic tools (from a larger suite of forensic tools) to be used on a target computer in order to acquire certain data. Spec. Tflf 4—6, 35. Example forensic tools may retrieve information related to network communications, log files, memory dumps, etc. Spec. 142. In a disclosed embodiment, the forensic investigative tool (i.e., a forensic device) comprises a storage device that stores “an investigative profile.” Spec. 35—38. Further, in a disclosed embodiment, the investigative profile (i) identifies a plurality of forensic tools from a set of forensic tools; (ii) defines a sequence in which the identified forensic tools are invoked by the forensic investigative tool; (iii) defines operational parameters needed by the identified forensic tools to execute on the target device; and (iv) identifies the data to be captured from the target device. Spec. H 38— 41. Claim 12 is illustrative of the subject matter on appeal and is reproduced below with the disputed limitations emphasized in italics'. 12. A forensic device comprising: a storage device that stores an investigative profile that identifies a plurality of forensic tools from a set of forensic tools and defines a manner in which a forensic investigative tool invokes the identified forensic tools for an investigation of a target computing device, wherein to define the manner in which the forensic investigative tool invokes the identified forensic tools, the investigative profile defines: 2 Appeal 2016-004668 Application 13/025,007 a sequence in which the forensic investigative tool invokes the identified forensic tools, one or more operational parameters for respective identified forensic tools needed for the execution of the respective forensic tools on the target computing device, and an identification of data to capture from the target computing device; and a hardware unit that executes the forensic investigative tool to: process the investigative profile to provide a common execution framework for selective execution of the plurality of forensic tools identified by the investigative profile, the framework including a common user interface and a reporting structure associated with the plurality of forensic tools; transfer one or more of the identified forensic tools and a remote agent to the target computing device for temporary storage; temporarily execute the remote agent on the target computing device to execute the identified forensic tools on the target computing device in accordance with the sequence and the one or more operational parameters investigative profile; and receive data acquired from the target computing device by the execution of the identified forensic tools in accordance with the investigative profile. The Examiner’s Rejections 1. Claims 1, 2, 4—7, 9-12, 14, 15, 17, 18, and 20-24 stand provisionally rejected under the doctrine of obviousness-type double patenting over U.S. Patent Application 13/024,995. Final Act. 5—11. 2. Claims 1—10, 12—21, 23, and 25—32 stand rejected under 35 U.S.C. § 102(b) as being anticipated by Adelstein, et al. (US 2009/0288164 Al; Nov. 19, 2009) (“Adelstein”). Final Act. 11-30. 3 Appeal 2016-004668 Application 13/025,007 3. Claim 24 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over Adelstein and Lim (US 8,321,437 B2; Nov. 27, 2012). Final Act. 31—32. 4. Claims 11 and 22 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Adelstein and Fahey (US 2009/0164522 Al; June 25, 2009). Final Act. 32—33. ANALYSIS2 Rejection under doctrine of obviousness-type double patenting Appellants do not address the Examiner’s provisional rejection of claims 1, 2, 4—7, 9-12, 14, 15, 17, 18, and 20-24 under the doctrine of obviousness-type double patenting. See App. Br. 7 (identifying the grounds rejection to be reviewed). Additionally, Appellants have not filed a terminal disclaimer. Further, the Examiner maintains the provisional rejection. Adv. Act. 2 (mailed March 12, 2015); Ans. 2—9. To the extent Appellants have not advanced separate, substantive arguments for particular claims or issues, such arguments are considered waived. See 37 C.F.R. § 41.37(c)(l)(iv); see also Manual of Patent Examining Procedure (“MPEP”) § 1205.02 (9th ed., Rev. 11.2013, Mar. 2014). 2 Throughout this Decision we have considered the Appeal Brief, filed August 17, 2015 (“App. Br.”); the Reply Brief, filed April 4, 2016 (“Reply Br.”); the Examiner’s Answer, mailed February 2, 2016 (“Ans.”); and the Final Office Action, mailed December 19, 2014 (“Final Act.”), from which this Appeal is taken. 4 Appeal 2016-004668 Application 13/025,007 Accordingly, we summarily sustain the Examiner’s provisional rejection of claims 1, 2, 4—7, 9—12, 14, 15, 17, 18, and 20-24 under the doctrine of obviousness-type double patenting. Rejection under 35 U.S.C. § 102(b) Appellants assert the Examiner erred in finding Adelstein discloses an investigative profile that, inter alia, identifies a plurality of forensic tools from a set of forensic tools and, further, an investigative profile that defines a sequence in which the identified forensic tools are invoked and also defines one or more operational parameters needed by the identified forensic tools to execute properly. App. Br. 10—11; Reply Br. 5—12. In particular, Appellants contend that rather than an investigative profile, as claimed, the profile relied on by the Examiner relates to a resource usage profile (or application profile), which is “used to filter out extraneous, forensically uninteresting data from the collected evidence.” App. Br. 10 (quoting Adelstein 115 (emphasis omitted)). Further, Appellants assert, to the extent Adelstein discloses an investigative profile, the Examiner erred in finding Adelstein’s disclosure of communicating commands from the forensic device to the operating system of the target device (see Adelstein 179) and identifying which calls require a privilege (and simply logging those calls) (see Adelstein || 168—169) meets the claimed limitations of an investigative profile that defines (i) a sequence in which the forensic tools are invoked and (ii) one or more operational parameters needed by the forensic tools to execute properly. App. Br. 10—11. As set forth infra, we find Appellants’ arguments persuasive of Examiner error. 5 Appeal 2016-004668 Application 13/025,007 Adelstein is generally directed to a forensic device that allows a user to remotely collect and analyze data collected from a target computer. Adelstein | 5. Adelstein describes that, in operation, the forensic device presents the user with the option of selecting from existing forensic inquiries or creating a new one. Adelstein | 8. The forensic inquiry includes information such as case information and target device information. Adelstein | 8. Adelstein further describes the case information as comprising a case name, case investigator name, and a location where to store the acquired data. Adelstein | 8. Target device information may include the target device host name, IP address operating system, access methods and passwords. Adelstein | 8. Adelstein identifies exemplary acquisition operations as including acquiring log files communication statistics, system data, account information, file sharing information, etc. Adelstein 19. “The user may select any combination of the possible acquisition operations provided by the forensic device to acquire state information of the target computing device as well as files and additional computer evidence.” Adelstein 19. Additionally, Adelstein discloses that after the acquisition operations have been selected, the forensic device will perform the acquisition operations “in a determined order to reduce the impact the acquisition operations have on other data stored within [the] target computing device.” Adelstein 111. However, the Examiner does not find the claimed investigative profile is met by Adelstein’s forensic inquiry; or that the forensic inquiry defines identifying a plurality of forensic tools (i.e., access methods and acquisition operations) from a set of forensic tools as part of the target device information of the forensic inquiry; or that the forensic inquiry further 6 Appeal 2016-004668 Application 13/025,007 defines one or more operational parameters (e.g., passwords, operating system type, IP address) as part of the case information necessary for the identified access methods or acquisition operations to execute properly. Instead, the Examiner relies on Adelstein’s disclosure of an application profile and a data analysis module that provides one or more data analysis tools to the user meets the claimed limitation of an investigative profile identifying a plurality of forensic tools from a set of forensic tools. Final Act. 18 (citing Adelstein H 14—15, 72—73, 116—122). Further, the Examiner finds Adelstein describes an analysis tool used to verily log entries are in chronological order and to detect gaps in expected entries. Ans. 34 (citing Adelstein || 54, 79-81); Final Act. 18. Additionally, the Examiner finds Adelstein describes an “application instance” that calls various functions that may require certain privileges for accessing files and that this discloses defining operational parameters needed for the identified forensic tools to execute properly. Final Act. 18 (citing Adelstein || 168—169). As an initial matter, we agree with Appellants that the application profile of Adelstein is inapposite to the claimed investigative profile. Also, although Adelstein’s data analysis tools may be considered part of a set of forensic tools, the Examiner has not provided sufficient evidence or technical explanation that Adelstein describes a sequence in which the data analysis tools are invoked. Rather, Adelstein describes the forensic device/forensic inquiry may execute the acquisition operations (i.e., forensic tools) in a predetermined order to maintain the integrity of the captured evidence. Adelstein || 11, 52.3 Additionally, Adelstein describes logging 3 We note the Examiner cites to paragraph 52 of Adelstein as describing an order of operation for acquisition tools, but the Examiner does not provide 7 Appeal 2016-004668 Application 13/025,007 function calls that require a privilege. Adelstein 1168. Although the privilege information may meet the claimed limitation of an operational parameter, the Examiner has not provided sufficient persuasive evidence or reasoning explaining how such parameters would be defined by an investigative profile in Adelstein.* * 4 The Examiner also finds Figure 5 of Adelstein discloses the entirety of claim 12. Ans. 34. We do not reach the issue as to whether Figure 5 of Adelstein discloses the limitations recited in claim 12 because the Examiner has not provided sufficient evidence from Adelstein (i.e., the accompanying text directed to Figure 5) or explanation to support such a finding. For the reasons discussed supra, and constrained by the record before us, we do not sustain the Examiner’s rejection of independent claim 12 under 35 U.S.C. § 102(b). For similar reasons, we also do not sustain the Examiner’s rejection of independent claims 1 and 23, which recite similar limitations. Additionally, we do not sustain the Examiner’s rejection of claims 2—10, 13—21, and 25—32, which depend therefrom. Rejections under 35 U.S.C. § 103(a) The Examiner cites additional references for the rejections of claims 11, 22, and 24 under 35 U.S.C. § 103(a). The Examiner relies on Adelstein sufficient explanation that the sequence of operation applies to the data analysis tools. See Ans. 33. 4 We also note the section of Adelstein relied upon appears to describe a “different embodiment.” See Adelstein 1165. To anticipate, a prior art reference must disclose more than “multiple, distinct teachings that the artisan might somehow combine to achieve the claimed invention.” Net MoneylN, Inc. v. VeriSign, Inc., 545 F.3d 1359, 1371 (Fed. Cir. 2008). 8 Appeal 2016-004668 Application 13/025,007 in the same manner discussed above in the context of claims 1,12, and 23, and does not rely on the additional references in any manner that remedies the deficiencies of the underlying anticipation rejection. Therefore, we do not sustain the Examiner’s rejection of claims 11, 22, and 24, which depend therefrom. DECISION We summarily affirm the Examiner’s decision provisionally rejecting claims 1, 2, 4—7, 9-12, 14, 15, 17, 18, and 20-24 under the doctrine of obviousness-type double patenting. We reverse the Examiner’s decision rejecting claims 1—10, 12—21, 23, and 25-32 under 35 U.S.C. § 102(b). We reverse the Examiner’s decision rejecting claims 11, 22, and 24 under 35 U.S.C. § 103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv). See 37 C.F.R. §41.50(f). AFFIRMED-IN-PART 9