Finding personally identifiable information (PII) with PowerShell.

Good network security involves defense-in-depth. This means that you should implement several different defenses to keep your network, platform or computer secure. The first part of a good defense is to keep the bad guys out of your network using a firewall, but in the event that they circumvent your firewall you need ‘plan B’.   Plan B in this example could be application whitelisting on your devices, strong passwords, anti-malware, anti-virus, PC firewalls, least privilege network design etc. Okay, that’s all great– but what if bad guys are able to circumvent ‘plan B’?

That’s when you need to know what is on your network that they might want. If you have a server with personnel files or credit card information, that will most likely be the first place many miscreants would attack. But did you know there could be a goldmine of private information on your PC’s and you don’t even know it? How much is the data on your PC worth? Brian Krebs has in interesting article called ‘The scrap Value of a Hacked PC’   The data on your PC may be worth more than you realize!
There are several tools out there that can find PII on your computer, but one easy and fast way is to run a powershell script. You can even use this script to find PII on other computers in your network. (Yes, if a bad guy gets in he could easily run this script against you and your network using the tools you currently have on your PCs).

Simply open Powershell and paste in the following scripts to check your computer for SSN’s. When the script is finished, it will write a CSV file with the results.

Find SSN on remote PC
Note: Your credentials must be allowed on the target PC, adjust the path to suit your needs. The UNC path syntax works for all of the examples below to hit remote targets.
Change computername from ‘mypc’, and username from ‘myusername’ to your target computer and username
Change the path to a local path to scan locally, for example c:\users\fred

REM+++++++++++++++++++ – Finds SSN with space or dash (-) between numbers on a remote PC++++++++++++++++++++
Get-ChildItem -Path “\\mypc\c$\users\myusername\desktop” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[0-9]{3}[-| ][0-9]{2}[-| ][0-9]{4}” | Select-Object Path, Line, LineNumber | Export-Csv “c:\ssn_pii.csv”

Now that we’ve established we can look for ssn’s, let’s scan for files on your PC with the word ‘Password’ in them.

REM+++++++++++++++++++ – Finds ‘password’ in documents, and saves to csv file
Get-ChildItem -Path “c:\users\” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[P|p]assword” | Select-Object Path, Line, LineNumber | Export-Csv “c:\passwordPII.csv”

Now let’s scan for credit card numbers on your PC:

REM+++++++++++++++++++ – Finds any cc numbers in documents, and saves to csv file
Get-ChildItem -Path “c:\users” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[4|5|3|6][0-9]{3}[-| ][0-9]{4}[-| ][0-9]{4}[-| ][0-9]{4}” | Select-Object Path, Line, LineNumber | Export-Csv “c:\CC_PII.csv”

I’ve found that some of these scripts give false alarms as there are a lot of temp files with all sorts of numeric data in the, but the goal here is to find obvious breaches in your security at little to no cost. If you want a full detailed report and automatic scans, you probably should be looking at a fully supported software solution.

Now that you know how easy it is to find PII on your computers, clean them up and be careful where you use and keep your private data!

1 comment

  1. RocketCity - Reply

    Used the first script to scan for .txt, .docx, xlsx and .pdf but it only picks it up the SSN in the .txt file and not the others. Any tips in searching these type of files. Also wondered if there was a way to search .pst files as well.

    Great work and any advice you have would be great.

Leave Comment

Your email address will not be published. Required fields are marked *