phi-scanner/results/phi_scan.ps1

# GreySec PHI Scanner - Windows Host Agent
$ErrorActionPreference = 'SilentlyContinue'
$results = @{
    hostname = $env:COMPUTERNAME
    timestamp = (Get-Date -Format "o")
    findings = @()
}
$extensions = @('*.txt','*.csv','*.log','*.json','*.xml','*.doc','*.docx','*.xls','*.xlsx','*.pdf','*.mdb','*.accdb','*.sql','*.cfg','*.ini','*.dat','*.bak')
$locations = @("$env:USERPROFILE","$env:APPDATA","C:\Users","C:\ProgramData","C:\inetpub","C:\Windows\System32\config")
$ssn = [regex]'\b\d{3}[-\s]\d{2}[-\s]\d{4}\b'
$email = [regex]'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
$phone = [regex]'\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b'
$mrn = [regex]'\b(MRN|Medical Record|EHR|ID)[:\s#]*\d{6,10}\b'
$dob = [regex]'\b(0[1-9]|1[0-2])[/.-](0[1-9]|[12]\d|3[01])[/.-](19|20)\d{2}\b'
$ip = [regex]'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
$zip4 = [regex]'\b\d{5}[-\s]\d{4}\b'
$allPatterns = @($ssn,$email,$phone,$mrn,$dob,$ip,$zip4)
$typeMap = @('SSN','Email','Phone','MRN','DOB','IP','ZIP4')
foreach ($loc in $locations) {
    if (Test-Path $loc) {
        foreach ($ext in $extensions) {
            Get-ChildItem $loc -Recurse -Filter $ext -ErrorAction SilentlyContinue | 
            Where-Object { $_.Length -lt 50MB } | ForEach-Object {
                $content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
                if ($content) {
                    for ($i=0; $i -lt $allPatterns.Length; $i++) {
                        $matches = $allPatterns[$i].Matches($content)
                        foreach ($m in $matches) {
                            $start = [Math]::Max(0, $m.Index - 30)
                            $end = [Math]::Min($content.Length, $m.Index + $m.Length + 30)
                            $ctx = $content.Substring($start, $end - $start).Replace("`n"," ").Replace("`r"," ")
                            $results.findings += @{
                                type = $typeMap[$i]
                                value = $m.Value
                                file = $_.FullName
                                context = $ctx
                            }
                        }
                    }
                }
            }
        }
    }
}
$results | ConvertTo-Json -Depth 5 | Out-File -FilePath C:\tmp\phi_scan_results.json -Encoding UTF8
Write-Host "SCAN_COMPLETE: $($results.findings.Count) findings"