On Tue, 22 Dec 2020, Peter Kronenberg wrote:
Oh, so reading the stream doesn't read the whole file?
Not for Detect, no. The assumption is that Detect is normally followed by Parse, so you won't want the Stream consuming, so we do a mark/reset to check the first few kb only
I know for Office files you can tell it's an Office file from the first dozen or so bytes, but you have to read the 2nd 512 block to find out more.
Not always... Many tools opt to put the properties blocks very close to the start, which lets you tell the type (because you can see the entry names), not all do. For the rest, you need to open the OLE2 structure and check the names of the entries
Nick
