You have said multiple times that the outer wrapper was CC, and the offline, inner wrapper was KC. All they need to do is infer it is CC output, either through online attacks, anomalies in its statistical distribution, block size, etc. Also, certain modes like ECB have watermarking attacks, which inherently reveal that ECB was used.

RC4 is a common stream encryption which can definitely be detected. In contrast AES seems much harder.

It is called a Distinguishing attack. See: https://eprint.iacr.org/2013/176.pdf http://www.security.iitk.ac.in/hack.in/2009/repository/bimal... http://elligator.cr.yp.to/elligator-20130828.pdf http://cr.yp.to/streamciphers/mag/053.pdf http://christina-boura.info/sites/default/files/KeyDifferenc...