Recoving file from CRYPTWALL 3.0 infection

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
asadz
Posts: 8
Joined: 22 Jan 2015, 06:26

Recoving file from CRYPTWALL 3.0 infection

#1 Post by asadz »

I have recently recovered from CRYPTWALL 3.0 infection on laptop to the point that it is no longer infecting new files/folders/dir.

I got to read lot of reviews on testdisk/photorec ability to recover the files (original) that were deleted by the CRYPTWALL 3.0. I run the photorec on my C:\ drive and got excellent results I got 2000 files recovered :)

The thing is that on E:\ drive I got no recovery using photorec, I was surprised the recovery was 8 files of 258 GB. Then I run testdisk alone and I got
Drive E: - 240 GB / 223 GiB - CHS 29216 255 63
Current partition structure:
Partition Start End Size in sect

1 * Sys=72 13577 238 11 119521 238 60 1701990410

Bad relative sector.
2 * Sys=74 45381 70 3 79242 34 29 543974724

Bad relative sector.
3 * NetWare 3.11+ 10498 56 41 10498 56 40 0

Bad relative sector.
Only one partition must be bootable
Space conflict between the following two partitions
1 * Sys=72 13577 238 11 119521 238 60 1701990410
2 * Sys=74 45381 70 3 79242 34 29 543974724
So, is there a chance with the issue in hand, photorec cannot guarantee that it has recovered all the deleted files. Should I worry about this issue, and take photorec results as final for disk E:\

Also, I read that CRYPTWALL 3.0 deletes all shadow files / restore points as well, then how come photorec/testdisk finds these undeleted files. What the internal logic?
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recoving file from CRYPTWALL 3.0 infection

#2 Post by cgrenier »

When using PhotoRec, you must store the recovered files on another partition than the source.
Have you written anything on E: since cryptwall infect your computer ?

asadz
Posts: 8
Joined: 22 Jan 2015, 06:26

Re: Recoving file from CRYPTWALL 3.0 infection

#3 Post by asadz »

Sorry for late reply. No I don't remember writing anything to E: drive. Should I worry about the overlapping issue will it effect recovery in any way?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recoving file from CRYPTWALL 3.0 infection

#4 Post by cgrenier »

Data that have been overwritten can not be recovered.

asadz
Posts: 8
Joined: 22 Jan 2015, 06:26

Re: Recoving file from CRYPTWALL 3.0 infection

#5 Post by asadz »

I know but I want to know the error i showed above in original post, does it need to be fixed first?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recoving file from CRYPTWALL 3.0 infection

#6 Post by cgrenier »

The only error in the first post is that you didn't use TestDisk correctly. You had selected a drive letter and forced a partition type. Partition type None is the good value for a partition. There is no partition inside a filesystem/partition.
PC Intel or EFI GPT is ok for a disk.

asadz
Posts: 8
Joined: 22 Jan 2015, 06:26

Re: Recoving file from CRYPTWALL 3.0 infection

#7 Post by asadz »

I think I have been not good in explaining what exactly I mean by error. Here are my steps

I run testdisk_win
select CREATE for log
Select Drive c:
Select intel partition
Goto analyze

Then I get this see attach

Also, when In second last option if i select "none" the structure is shown as "ok".
Attachments
badsec.PNG
badsec.PNG (11.85 KiB) Viewed 3378 times

asadz
Posts: 8
Joined: 22 Jan 2015, 06:26

Re: Recoving file from CRYPTWALL 3.0 infection

#8 Post by asadz »

I think , I have understood what you mean by "forcing" , it was giving me a false-positive in a way. Thanks for correcting me.

Locked