Steganography: Hide Important Data behind an Image

Previous topic - Next topic
QuoteThe command `COPY /b SourceImage.jpg + SecretArchive.rar OutputImage.jpg` effectively hides a RAR/ZIP file inside a JPEG. The resulting file opens as an image by default but opens as an archive if you drag it into WinRAR.
Critical Rule: The Image must be the first file in the command syntax, or the file header will be corrupted.

This technique relies on "File Header Magic."
An Image Viewer (like Windows Photos) reads the file from the start (Header) until it sees the "End of Image" marker. It ignores everything after that marker.
An Archiver (like WinRAR) reads the file and looks for specific "Archive Markers" (like `PK` for Zip or `Rar!` for RAR) located anywhere in the binary stream.
You are essentially gluing two files together. To the OS, it looks like a Picture. To an Archiver, it looks like a Folder.

Checklist
  • Software: WinRAR, 7-Zip, or WinZip installed.
  • File Locations: Both the "Cover Image" (`.jpg`) and the "Secret Data" (`.rar`) must be in the same folder for the command to work easily.
  • File Size: The final image size will be: Size of Image + Size of Archive. If you hide a 1GB movie inside a 50KB JPEG, the resulting 1GB JPEG looks extremely suspicious.
  • The Hidden Requirement: The Binary Switch (`/b`). You must use the `/b` switch in the command. If you forget it, Windows treats the files as "Text" (ASCII), causing corruption when it hits non-text characters in the image/archive.

Step-by-Step Guide
  • Step 1: Preparation
    Create a folder `C:\Stego`.
    Place your innocent image (e.g., `cat.jpg`) and your secret archive (e.g., `data.rar`) inside this folder.
  • Step 2: Open Command Prompt
    Press `Win + R`, type `cmd`, and press Enter.
    Navigate to your folder:
    cd C:\Stego
  • Step 3: The Fusion Command
    Type the following command strictly in this order:
    copy /b cat.jpg + data.rar secret_cat.jpgTranslation: Copy (Binary Mode) cat.jpg PLUS data.rar INTO new file secret_cat.jpg.
  • Step 4: Verification
    Open `secret_cat.jpg` normally. It should look exactly like the original cat photo.
    Now, Right Click > Open With > WinRAR. You should see your secret files inside.

How It Works & Hidden Details

The Header Logic:

* A JPEG file starts with `FF D8` and ends with `FF D9`.
* When Windows Photos opens the file, it reads from `FF D8` to `FF D9`. It stops reading there.
* The `copy /b` command appends the RAR data after the `FF D9` marker.
* Since the image viewer stops early, it never sees the "garbage" data at the end.
* WinRAR, however, scans the entire file for the `Rar!` signature, finds it at the tail end, and mounts it.

Things to Watch Out For
  • Risk 1: Social Media Stripping. If you upload this `secret_cat.jpg` to Facebook, WhatsApp, or Instagram, their compression algorithms will delete the hidden data to save space. This only works for direct file transfers (Email, USB, Google Drive).
  • Risk 2: Encryption. This method is "Obscurity," not "Security." Anyone can open the file in Notepad or Hex Editor and see the secret data at the bottom. You must password-protect the RAR file before hiding it inside the image.

Frequently Asked Questions
  • Q: Can I use PNG instead of JPG?
    A: Yes, PNG works perfectly. Avoid BMP as it is rarely used today and looks suspicious.
  • Q: Can I extract it on Android?
    A: Yes, use "ZArchiver" or "RAR for Android." Rename the file from `.jpg` to `.rar` and extract it.

Update: Additional Details & Recent Changes

  • Windows 11/12 "Terminal" Trap:
    Modern Windows defaults to "Windows Terminal" (PowerShell) instead of the classic Command Prompt. The command `copy /b` will fail in PowerShell because `copy` is an alias for `Copy-Item`, which does not support the `+` concatenation syntax. You must explicitly open "Command Prompt" (cmd.exe) or type `cmd` inside the Terminal window before running the command.
  • Cloud Storage "Corruption" Flags:
    While Windows Defender usually ignores these files, uploading them to Google Drive, OneDrive, or Gmail in 2026 often triggers a "Virus Scan Failed" or "Corrupt File" warning. Their automated scanners detect the "Polyglot" structure (two file headers in one) and may block you from sharing the link, assuming it is malware.
  • Platform Specifics (Discord & Telegram):
    Discord: Standard image uploads are re-encoded (stripping the data). You must zip the image again or send it as a "File" to preserve the payload.
    Telegram: You must select "Send as File" (Paperclip > File > Gallery). Sending it as a standard "Photo" will wipe the secret data immediately.
  • Format Compatibility:
    Stick strictly to .JPG or .PNG. Newer formats like .HEIC (iPhone) or .WEBP (Web) have stricter container structures. Appending binary data to them often corrupts the image entirely, rendering it unviewable.

QuoteStep 2: Open Command Prompt
Press `Win + R`, type `cmd`, and press Enter.
Update: If you search for "Terminal" in the Start Menu, ensure you switch the profile to "Command Prompt" (Ctrl+Shift+2) or type `cmd` and hit Enter before pasting the code.

Similar topics (2)