In Challenges in Recovering Deleted Email computer forensics expert witness Steve Burgess writes:
Both computer forensics experts and data recovery technicians seek to recover deleted data. Data recovery is primarily interested in bringing back files, while computer forensics tends to dig deeper, looking not just for deleted documents, but also for metadata (data about data – such as file attributes, descriptions, dates, and other information) and meaningful snippets of unrecoverable files. One area of particular interest is email.
When most documents are written to a computer’s hard disk, each newly created document has its own directory entry (what the user sees as a listing in a folder). If a file has been deleted, but has not been overwritten by another document, the recovery process is a relatively trivial part of e-discovery or of data recovery. But when the data of interest is from deleted email, the discovery process is likely to differ significantly from that of data recovery. Individual emails are stored differently than individual files. Different types of email programs store data differently on the user’s hard disk and require different schemes for finding useful information. As a result, the deletion of emails and recovering of deleted emails differs not only from that for other types of documents, but also between different types of email programs.