Product Features
PII in Magnet AXIOM

Keywords for Personally Identifiable Information (PII) in Magnet AXIOM

Hey all! Tarah Melton here, Forensic Consultant with Magnet Forensics, and I’m bringing to you today a hopefully useful resource when working an investigation that involves Personally Identifiable Information.

Back story: I was approached by a customer for some guidance, who asked, are there any available pre-built PII keyword lists or any other PII specific features available for such a case?

On a venture to assist a customer, I did my own digging, and came across a few great resources in respect to PII keywords, but I unfortunately was unsuccessful in finding one single wide-ranging list of PII keywords for the DFIR community.

But! Whenever I come up short and cannot find the answer, I look to my colleagues and fellow forensicators for an assist. I reached out to Jessica Hyde, Director of Forensics here at Magnet Forensics, who did some digging of her own and came to the same conclusion.

We decided we needed to fix this issue. Not only for the sake of this customer, but for the DFIR community as a whole. I began compiling some of the more common types of PII that you might come across in an examination and utilized the resources listed below to create a comprehensive keyword list for DFIR examiners. Another big shout out to Mike Williamson, one of Magnet’s Technical Forensic Consultants, for assistance and sanity checks on some of the REGEX keywords. We truly have an amazing forensic army here at Magnet Forensics!

You can access the list here at DFIR.training in a .txt format which is easily importable into Magnet AXIOM. The list contains both plain text and regular expression keywords. Here are just a few of the REGEX keywords you’ll find there.

Physical Addresses – This REGEX keyword, adapted from bounteous.com, is an attempt to surface common suffixes of an address. Of course, the shorter ones will generate some false positives, so edit as you see fit!

(street|st|road|rd|drive|dr|lane|ln|avenue|ave|boulevard|blvd|highway|hwy|township|twp|north|south|east|west)

US Phone Numbers – Also adapted from bounteous.com, this expression will find phone numbers from the United States, with or without an area code or extension.

 (?i)((\+?1(\.|-|\s)?)?)\s*((\(?\d{3}\)?(\.|-|\s*)?)?)\s*(\d{3}(\.|-|\s*)?)\s*(\d{4}\s*(((x|ext)\.?(ension)?)\s*\d*)?)

Email Addresses – adapted from cardinalpath.com

([\w\.-]+)@([\da-zA-Z\.-]+)\.([a-zA-Z\.]{2,6})

US Social Security Numbers – Following the rules of US SSNs, this REGEX keyword attempts to find as few false positives as possible. The resource linked is from oreilly.com.

 (?!000|666)[0-8]\d{2}(-|\s)(?!00)\d{2}(-|\s)(?!0000)\d{4}

Credit Card Numbers per Vendor – Regular-expressions.info is an AMAZING resource for writing REGEX patterns.

VISA – 4[0-9]{12}(?:[0-9]{3})?

MasterCard – (?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}

American Express – 3[47][0-9]{13}

Diners Club – 3(?:0[0-5]|[68][0-9])[0-9]{11}

Discover – 6(?:011|5[0-9]{2})[0-9]{12}

JCB – (?:2131|1800|35\d{3})\d{11}

Additional keywords found in the PII keyword list on DFIR.training were found here. And a HUGE shout out to Brett Shavers for hosting the DFIR.training site which houses a TON of other keyword lists and additional resources for the DFIR community.

If you are looking to share with the DFIR community, it’s a great place to submit resources you find useful in your own examinations! Also check out this blog from Jamie McQuaid, Technical Forensic Consultant here at Magnet Forensics, that details utilizing keyword lists in Magnet AXIOM, and this recorded webinar from myself and Trey Amick that shows these keywords in action in Magnet AXIOM Cyber.

So fellow examiners, if you are working an investigation involving PII, and need a starting point of what to search within AXIOM, check out this keyword list for a head start. We encourage you to update, modify, and add to this list to benefit the greater DFIR community! And as always, if you need any assistance with AXIOM, REGEX, or anything in DFIR, please do not hesitate to reach out to me (tarah.melton@magnetforensics.com) or any of us here at Magnet Forensics. One of our experienced forensic examiners will be able to assist!

Tarah Melton, signing off!

If you’re not already using Magnet AXIOM or AXIOM Cyber in your examinations and want try it for yourself, request a trial today!

Related Resources

Blog

Blog

Griffeye products now a part of the Magnet Forensics product suite

Following the announcement that Griffeye would become part of Magnet Forensics, we are thrilled to announce that Griffeye is now fully integrated into the Magnet Forensics family. 

April 12, 2024 • About a 2 minute view
Blog

Blog

Magnet Axiom Cyber 7.10: AWS Sign-in improvements & animated maps

The latest release of Magnet AXIOM Cyber is here, and we’re excited to share new features for analysis and cloud acquisitions.

February 29, 2024 • About a 2 minute view
Blog

Blog

Reviewing email evidence with Email Explorer in Magnet Axiom and Axiom Cyber

With the continued prominence of email in corporate settings, we’re thrilled to unveil a highly anticipated feature to AXIOM Cyber: Email Explorer.

February 29, 2024 • About a 4 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top