Checking potentially infected photos for stegonography


A friend of mine has an old family PC with a bunch of important photos on it. Unfortunately, from what he told me, it seems like they have fallen victim to a tech support scam some five years ago, during which the scammer had remote access to their machine. They haven’t used this PC ever since that incident, because they were afraid that the scammer might have put some sort of malware onto their system. Since they aren’t super tech-savvy, my friend asked if I could help him safely recover their photos.

My idea would be to connect his HDD to my laptop using a SATA-to-USB adapter, boot into a Linux live environment, mount the HDD there, and copy the photos to either an external HDD or to my NAS. I see one problem with this, however. I’m by no means a security professional, but form what I’ve learned, it’s rather easy to embed a malicious payload into an image file (or at least a file that looks like an image; "steganography", "stegosploit"). So, it seems entirely possible that someone with remote access could have either copied an infected image to their hard drive, or run some sort of malware that infected their own photos. I think it’s unlikely that a tech support scammer would do this sort of thing, but the last thing I want to do is recover their photos and at the same time infect their current devices with malware.

Is there a reliable way for me to check their image files for such embedded malicious payloads (ideally from a Linux system)? My best guess would be to scan these files using an AV program such as ClamAV – do you think that would be good enough? Other than that, all I found were research papers looking into methods for detecting steganography, which leads me to believe that this is still a rather difficult problem to solve…

Edit: I have played around with OpenCV a while ago, which lets you read an image file into a Numpy array. So, theoretically, I could write a Python script that reads each of their photos into a Numpy array and exports it as a completely new image file, for a more of a "sanitizing" approach, rather than a "scanning" one. Do you think this is a good idea (especially of done by someone who’s not a security expert)?