This was posted by Jeffery Misner. I want to give credit for the source.
What is the Lost Files folder?
EnCase has a different method (compared to FAT) for recovering deleted files and folders with NTFS evidence files. When you add an NTFS Evidence file to EnCase, you will notice a folder added automatically to the evidence file in the case view called "Lost Files." In the MFT (Master File Table) in NTFS, all files and folders are marked as a folder or file, and are associated to a "parent."
Suppose you have a folder contain many files. Those files are its "children." For those files to become "lost," you delete them along with the folder itself. You then create a new folder. The entry in the MFT for the old folder is overwritten. So the original "parent" folder and its entry in the MFT are gone. But it's "children," while deleted, have not been overwritten, and their entries are still in the MFT. EnCase can then tell what those files are, but there is no longer any record of what folder those files were in. Because of this, all those files (without parent folders anymore) are lumped into the "Lost Files" folder that EnCase creates and places in the Entries view so that you can see those files.
That is different from the recover folders feature, btw. Also note that
Lost Files only appear for NTFS volumes since FAT does not work the same
way.
Note: There is no way you can see those deleted files without using specialized software like EnCase.
Original source link : http://www.forensicfocus.com/Forums/viewtopic/t=2718/
