results/phi_scan.ps1

# GreySec PHI Scanner - Windows Host Agent
$ErrorActionPreference = 'SilentlyContinue'
$results = @{
    hostname = $env:COMPUTERNAME
    timestamp = (Get-Date -Format "o")
    findings = @()
}
$extensions = @('*.txt','*.csv','*.log','*.json','*.xml','*.doc','*.docx','*.xls','*.xlsx','*.pdf','*.mdb','*.accdb','*.sql','*.cfg','*.ini','*.dat','*.bak')
$locations = @("$env:USERPROFILE","$env:APPDATA","C:\Users","C:\ProgramData","C:\inetpub","C:\Windows\System32\config")
$ssn = [regex]'\b\d{3}[-\s]\d{2}[-\s]\d{4}\b'
$email = [regex]'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
$phone = [regex]'\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b'
$mrn = [regex]'\b(MRN|Medical Record|EHR|ID)[:\s#]*\d{6,10}\b'
$dob = [regex]'\b(0[1-9]|1[0-2])[/.-](0[1-9]|[12]\d|3[01])[/.-](19|20)\d{2}\b'
$ip = [regex]'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
$zip4 = [regex]'\b\d{5}[-\s]\d{4}\b'
$allPatterns = @($ssn,$email,$phone,$mrn,$dob,$ip,$zip4)
$typeMap = @('SSN','Email','Phone','MRN','DOB','IP','ZIP4')
foreach ($loc in $locations) {
    if (Test-Path $loc) {
        foreach ($ext in $extensions) {
            Get-ChildItem $loc -Recurse -Filter $ext -ErrorAction SilentlyContinue | 
            Where-Object { $_.Length -lt 50MB } | ForEach-Object {
                $content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
                if ($content) {
                    for ($i=0; $i -lt $allPatterns.Length; $i++) {
                        $matches = $allPatterns[$i].Matches($content)
                        foreach ($m in $matches) {
                            $start = [Math]::Max(0, $m.Index - 30)
                            $end = [Math]::Min($content.Length, $m.Index + $m.Length + 30)
                            $ctx = $content.Substring($start, $end - $start).Replace("`n"," ").Replace("`r"," ")
                            $results.findings += @{
                                type = $typeMap[$i]
                                value = $m.Value
                                file = $_.FullName
                                context = $ctx
                            }
                        }
                    }
                }
            }
        }
    }
}
$results | ConvertTo-Json -Depth 5 | Out-File -FilePath C:\tmp\phi_scan_results.json -Encoding UTF8
Write-Host "SCAN_COMPLETE: $($results.findings.Count) findings"
Initial commit: phi-scanner 2026-05-08 17:44:26 -05:00			`# GreySec PHI Scanner - Windows Host Agent`
			`$ErrorActionPreference = 'SilentlyContinue'`
			`$results = @{`
			`hostname = $env:COMPUTERNAME`
			`timestamp = (Get-Date -Format "o")`
			`findings = @()`
			`}`
			`$extensions = @('.txt','.csv','.log','.json','.xml','.doc','.docx','.xls','.xlsx','.pdf','.mdb','.accdb','.sql','.cfg','.ini','.dat','*.bak')`
			`$locations = @("$env:USERPROFILE","$env:APPDATA","C:\Users","C:\ProgramData","C:\inetpub","C:\Windows\System32\config")`
			`$ssn = [regex]'\b\d{3}[-\s]\d{2}[-\s]\d{4}\b'`
			`$email = [regex]'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z\|a-z]{2,}\b'`
			`$phone = [regex]'\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b'`
			`$mrn = [regex]'\b(MRN\|Medical Record\|EHR\|ID)[:\s#]*\d{6,10}\b'`
			`$dob = [regex]'\b(0[1-9]\|1[0-2])[/.-](0[1-9]\|[12]\d\|3[01])[/.-](19\|20)\d{2}\b'`
			`$ip = [regex]'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'`
			`$zip4 = [regex]'\b\d{5}[-\s]\d{4}\b'`
			`$allPatterns = @($ssn,$email,$phone,$mrn,$dob,$ip,$zip4)`
			`$typeMap = @('SSN','Email','Phone','MRN','DOB','IP','ZIP4')`
			`foreach ($loc in $locations) {`
			`if (Test-Path $loc) {`
			`foreach ($ext in $extensions) {`
			`Get-ChildItem $loc -Recurse -Filter $ext -ErrorAction SilentlyContinue \|`
			`Where-Object { $_.Length -lt 50MB } \| ForEach-Object {`
			`$content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue`
			`if ($content) {`
			`for ($i=0; $i -lt $allPatterns.Length; $i++) {`
			`$matches = $allPatterns[$i].Matches($content)`
			`foreach ($m in $matches) {`
			`$start = [Math]::Max(0, $m.Index - 30)`
			`$end = [Math]::Min($content.Length, $m.Index + $m.Length + 30)`
			$ctx = $content.Substring($start, $end - $start).Replace("`n"," ").Replace("`r"," ")
			`$results.findings += @{`
			`type = $typeMap[$i]`
			`value = $m.Value`
			`file = $_.FullName`
			`context = $ctx`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
			`$results \| ConvertTo-Json -Depth 5 \| Out-File -FilePath C:\tmp\phi_scan_results.json -Encoding UTF8`
			`Write-Host "SCAN_COMPLETE: $($results.findings.Count) findings"`