cgsecurity.org

I have recently recovered from CRYPTWALL 3.0 infection on laptop to the point that it is no longer infecting new files/folders/dir.

I got to read lot of reviews on testdisk/photorec ability to recover the files (original) that were deleted by the CRYPTWALL 3.0. I run the photorec on my C:\ drive and got excellent results I got 2000 files recovered

The thing is that on E:\ drive I got no recovery using photorec, I was surprised the recovery was 8 files of 258 GB. Then I run testdisk alone and I got

Drive E: - 240 GB / 223 GiB - CHS 29216 255 63
Current partition structure:
Partition Start End Size in sect

1 * Sys=72 13577 238 11 119521 238 60 1701990410

Bad relative sector.
2 * Sys=74 45381 70 3 79242 34 29 543974724

Bad relative sector.
3 * NetWare 3.11+ 10498 56 41 10498 56 40 0

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
1 * Sys=72 13577 238 11 119521 238 60 1701990410
2 * Sys=74 45381 70 3 79242 34 29 543974724

So, is there a chance with the issue in hand, photorec cannot guarantee that it has recovered all the deleted files. Should I worry about this issue, and take photorec results as final for disk E:\

Also, I read that CRYPTWALL 3.0 deletes all shadow files / restore points as well, then how come photorec/testdisk finds these undeleted files. What the internal logic?
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted

When using PhotoRec, you must store the recovered files on another partition than the source.
Have you written anything on E: since cryptwall infect your computer ?

Sorry for late reply. No I don't remember writing anything to E: drive. Should I worry about the overlapping issue will it effect recovery in any way?

Data that have been overwritten can not be recovered.

I know but I want to know the error i showed above in original post, does it need to be fixed first?

The only error in the first post is that you didn't use TestDisk correctly. You had selected a drive letter and forced a partition type. Partition type None is the good value for a partition. There is no partition inside a filesystem/partition.
PC Intel or EFI GPT is ok for a disk.

I think I have been not good in explaining what exactly I mean by error. Here are my steps

I run testdisk_win
select CREATE for log
Select Drive c:
Select intel partition
Goto analyze

Then I get this see attach

Also, when In second last option if i select "none" the structure is shown as "ok".

I think , I have understood what you mean by "forcing" , it was giving me a false-positive in a way. Thanks for correcting me.