What functionality of Autopsy is used to recover deleted files from unallocated space?

The functionality of Autopsy that is used to recover deleted files from unallocated space is data carving. Data carving is a technique that involves searching through raw data on a storage medium to identify and reconstruct files based on their file signatures and content, rather than relying on file system metadata. This is particularly useful for recovering files that have been deleted because they might not have any remaining references in the file system, yet their actual data may still exist in unallocated space.

When data is deleted from a file system, the operating system typically marks the space occupied by the file as available for reuse, but the actual data may remain intact until it is overwritten by new data. Data carving allows forensic investigators to analyze this unallocated space, identifying file signatures and extracting recoverable files even when no metadata is available.

In contrast, file recovery typically requires metadata to locate and restore files, which may not be available for deleted items. Image verification focuses on ensuring the integrity of forensic images, and log analysis deals with reviewing logs for evidence and activity, neither of which directly addresses the recovery of deleted files.