Recovering deleted data is essentially a function of the particular forensic software application used by the forensic examiner.  Iris uses two of the most respected forensic applications for this: Guidance Software’s Encase and Access Data’s Forensic Tool Kit.  Both are similar and assume that you are working with an exact bit stream image of the original subject hard drive.
 

When data is collected by forensically imaging the original custodian hard drive, the standard method is to capture an exact bit stream image which includes both allocated and empty space, as well as file slack space.  When a user “deletes” a file from their computer it really doesn’t delete it.  It just tells the computer’s operating system (i.e. the sytems internal file table as with FAT or NTFS formats) to consider this as available space for the next time it needs room to store a file.  It does this by clearing out the entry in the file table which identifies the containing folders where the file can be found.  It does not however, delete the contents of the file itself.  This empty space is therefore not really empty but provides a source for recovering or “un-deleting” files that a user may have previously intended to destroy. 

 

Thus the process of recovering deleted data simply stems from parsing through the file table for files without parent folders.  Depending on a number of factors, it may not be possible to recover all the original folder names, but the contents of many individual files  can be restored.