Steganography - Hidden Archives
There are a number of articles online discussing concatenating images and compressed archives. Terminally Incoherent calls it “poor man’s steganography.” The basic premise is to take an archive containing the data that desires to be hidden and attach it to the end of an innocent appearing image file. When opened, the expected image will display. However, when opened with an archive utility such as WinZip, WinRar, or 7zip the “hidden” archive will open.
The process for creating such an image is as follows:
copy /b innocent.jpg secret.rar innocently_deceptive.jpg
Since the header of the attached archive is still intact, it is possible to scan for that signature and carve it out. Depending on the circumstances, it may be easier to export all of the images suspected of containing hidden archives and only checking these files. Instead of scanning for headers and manually carving, it may be more effective to throw an archive utility at every file and attempt to unpack it.
Using a simple shell command and 7zip (it is free), this can become an automated process. For windows, the following should work:
for /F usebackq %i in (`dir /B`) do Z:\path\to\7z.exe x "%i"
This assumes that the current working directory is the export folder. Modify the 7z.exe path as necessary. Other modifications can be made depending on needs, but this will unpack any potential archives that are attached to the exported images.