I run then Autopsy again, and found out that probably parameters chosen for the evidence09 were restrictive, as the second time, Autopsy capture the same amount of files with foremost.
The only issue is, foremost recover all the data not showing from which path the unallocated block was, therefore when using Autopsy, you can filter of what was under Internet Explorer for example, and ignored those files (most likely images downloaded temporarly whilst the user was browsing).
I've also had the curiosity of trying another tool, and this time I'm using PhotoRec. This one requires you mouting though the image. Therefore I did the following:
1) Create a mouting directory called /mnt/evi09mnt
2) Run the command to mount image:
mount -o ro,loop,offset=32256 evidence09_sdb.dd /mnt/evi09mnt
3) Download the PhotoRec latest version (this doesn't require installation, and you just have to download and unzip the files in a folder).
4) Run the file called ./photorec_static.This will go and open the partition you want to test. You need to select a different folder for the results too.
In my test, 22420 files were recovered. I haven't filtered the files I wanted, so I went back and configured the following types of files to be recovered:
accdb (Access Data Base, as part of Office)
bk (MS Backup File)
bmp (BMP bitmap image)
doc (Microsoft Office Document: doc/xl/ppt/vsd/... for 3ds Max, MetaStock, Wilcom ES)
evt (Windows Event Log)
gif (Graphic Interchange Format)
http (HTTP Cache)
jpg (JPG picture)
key (Synology AES key)
mov/mdat Recover mdat atom as a separate file)
mov (mov/mp4/3gp/3g2/jp2)
mp3 (MP3 audio: MPEG ADTS, layer III, v1)
mpg (Moving Picture Experts Group video)
nsf (Lotus Notes)
one (Microsoft OneNote)
pcx (PCX bitmap image)
pdf (Portable Document Format, Adobe Illustrator)
png (Portable/JPEG/Multiple-Image network Graphics)
psb (Adobe Photoshop Image)
psd (Adobe Photoshop Image)
psf (Print Shop)
psp (Paint Shop Pro Image File)
pst (Outlook: pst/wab/dbx)
ra (Real Audio)
*rar (Rar archive)
reg (Windows Registry)
res (Microsoft Visual Studio Resource file)
riff (RIFF audito/video: wav, cdr, avi)
rm (Real Audio)
sqm (Windows Live messenger Log File)
tar (tar archive)
tif (Tag Image file Format and some raw file formats: pef/nef/dcr/sr2/cr2)
*tx? (Text files with header: rtf/xml/xhtml/mbox/imm/pm/ram/reg/sh/slk/stp/jad/url)
*txt (Other text files: txt/html/asp/bat/C/jsp/perl/php,py/emlx... scripts)
wks (Lotus 1-2-3)
xar (xar archive)
xml (Symantec encrypted xml files)
*zip (zip archive including OpenOffice and MSOffice 2007)
