This script scan files for the Zone.Identifier stream (ADS : Alternate Data Streams) and prints the referrer + host URLs if available

zoneidentifier_dump.py

#!/usr/bin/env python
# Help with Powershell encoding:
# [Console]::InputEncoding = [Console]::OutputEncoding = [Text.UTF8Encoding]::new()
# $env:PYTHONIOENCODING="utf-8"
import argparse, pathlib

parser = argparse.ArgumentParser(description='This script scan files for the Zone.Identifier stream (ADS : Alternate Data Streams) and prints the referrer + host URLs if available')
parser.add_argument('path', metavar='PATH', type=pathlib.Path, help='Path (file or directory) to scan')
parser.add_argument('-r', '--recurse', action='store_true', help='Recurse subdirectories')
parser.add_argument('-ia', '--include-about', action='store_true', help='Include about:client, about:internet entries')
args = parser.parse_args()

if args.path.is_file():
	file_list = (args.path,)
elif args.path.is_dir():
	file_list = args.path.glob('**/*' if args.recurse else '*')
else:
	parser.error('PATH should point to a file or directory')

for file in file_list:
	try:
		with file.with_name(file.name + ':Zone.Identifier').open('r') as z:
			infos = []
			for line in z.readlines():
				if any(s in line for s in {'ReferrerUrl', 'HostUrl'}):
					line = line.strip()
					if not args.include_about and line in {'ReferrerUrl=about:client', 'HostUrl=about:internet'}:
						continue
					infos.append(line)
			if infos:
				print('-- {}\n{}\n'.format(
					file.relative_to(args.path),
					'\n'.join(infos)
				))
	except:
		pass