On most disks there is data in the unallocated space. This is space that the operating system treats as free space, and will use to write new files. How come such data exists in this space. The normal answer is that the file has been deleted, in which case the directory entry has been cleared, but to save time, the sectors used to store the data are not initialised. The second way that data may exist in unallocated space is as the result of a disk error, or program crash.
CnW Recovery has two main ways to recover data in unallocated space.
● By reading file entries that have been deleted ● By reading all or part of the disk and looking for file starts
The first approach is an option within the recovery menu - and is dependent on the operating system being used. NTFS is very good at recovering many deleted files, as the MFT is just marked as deleted, and all file locations typically remain intact. Where possible files are marked as overwritten if some of all of the data area has been used for a different file. A FAT system may point to the start of a file, but then it is a guess where the file is stored. If it has been fragmented, recovery is harder. The Macintosh does not have the concept of deleted files - once removed from the trash bin.
The second approach is a raw read. This can read the complete disk, or if used in conjunction with a format recover, will just examine areas of the disk that have not been used by the operating system. Files are detected by examining the first part for known file signatures, but it is always assumed (currently) that a file will be sequential. For very long files this is not always the case. As a bonus, on NTFS compressed blocks are handled correctly.
A final area where data can be found is in slack space. For more details on this see the NTFS forensic page. Slack space is the are of the disk at the end of a cluster, but not actually used by a current file. It will often contain data from a previous file in that location, or sometimes from the memory of the computer at the time of writing.