Deleted files can often be recovered some time after a deletion. Most file systems only mark them as deleted in the index. These are labelled as “orphan files”. Therefore, they can be undeleted until the disk blocks they occupy, are eventually taken up by other files written to the hard disk. Most file systems only remove the link to data, not the actual data itself. Most actions on a hard drive are stored in some way – for instance internet history can be found in the index.dat file in C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5 folder.
De-fragmenting a drive reorders the data into sequential blocks, overwriting any data that had existed in those blocks before. This will therefore effect any undeleting, as the blocks used by the defrag routine, will either be
empty or orphan files.
Low-Level Formatting a hard drive writes a zero-byte to every addressable location on the disk surface in every sector of the drive. This will normally render any undelete process ineffective. A quick format however, only affects the file index and will normally not hinder any undeletes process.
Disk caching (your temporary internet files are an example) allows most recently accessed data to be stored in a memory buffer. Even after cache is deleted, there is a small window of opportunity to undelete this information. However, the success of this will largely depend on whether your “history logs” were enabled.
Email history can be difficult to reveal, especially if the user was using a web based client like Google mail, rather than an email client such as Outlook. Some email correspondence may be evident in .xml files following an undelete, but the extent will depend on whether the logs were enabled.
