If I index a hard disk does it include the deleted files?

If the "index unallocated sectors" option has been chosen when creating the index then deleted file data may be retrieved and included in the index, as deleted file data resides in the unallocated sectors. However using the "Deleted File Search" function in OSForensics can be more effective in terms of retrieving complete files.

The indexing of unallocated sectors treats all sectors the same, regardless of the type of data that might have been stored there. A string extraction is performed on the sector, so while this will work well for files that contain unaltered text (eg text, HTML files) it will not work so well on sectors that contained part of an encrypted or compressed file (eg .docx, zip). To recover binary data from files it is possible to set the "Binary String Extraction Level" in the advanced indexer settings. Changing this option will determine how strict the indexer is when making a decision as to what data is a word and what is simply random data. It is recommended to leave this on the default setting as extreme will pull out a lot more data but most of it will not be sensible text. The Code Words setting is useful if you are trying to find things like passwords missed by the default option.

The deleted file search function is aware of different file types and retains the structure of the file, as well as files stored entirely in the master file table (MFT). Only very small files fit in the MFT but these files will never appear in unallocated sectors on the disk. It will also recover files that had little, if any, text content. So a file such as a JPG, video or MP3 file may not contain any text for the search index to recover, the deleted file search function may allow you to recover and view the file. It is also possible to set the quality and file size criteria in the deleted file search to limit the files recovered to ones that are more likely to be a reasonable quality.

The search index, once built, can be used for fast searching and password cracking functions in OSForensics. This can't be done directly with files that have been undeleted, however the files can be undeleted to another location and a separate search index created just for those files. 

If you have limited time and the drive under investigation is large, don't do the indexing of unallocated sectors and instead use the deleted files search function. Some data may be missed but if time is limited then it makes sense to get the best quality data first. If time is available, or the drive is small, do both the indexing of unallocated sectors and the deleted files search. Note that is it possible to build 3 separate indexes for the same drive. Index 1 could be normal files, Index 2 could be unallocated sectors and Index 3 could be of undeleted files. Index 1 forms the basis of the investigation and then indexes 2 & 3 can be used if time permits and a deeper investigation is required.

For a tutorials on how to perform file recovery, and File Indexing & Searching, please see the below videos.