I've been using X-ways Forensics since 2011, with a tool like this you would be able to search with regular expressions in the unallocated area of a harddrive.
https://www.x-ways.net/forensics/index-m.htmlMy approach would be to search for the header of possible deleted wallet.dat files with regex searches in unallocated area, swap files etc.
Regex searches in X-ways forensics for each header type:
2009-2012 wallet.dat file header:
\x00\x05\x31\x62\x00\x00\x00\x02Slight change to wallet.dat file in 2017:
\x00\x05\x31\x62\x00\x00\x00\x03With Bitcoin core 0.18.0 in 2019, the header changed once again:
\x00\x05\x31\x62\x00\00\x00\x03With Bitcoin core 0.21.0 in 2021 and onwards to today, the header changed completely:
\x53\x51\x4C\x69\x74\x65\x20\x66\x6F\x72\x6D\x61\x74\x20\x33\x00If you're not able to get a license for X-ways Forensics, you could take a look at Autopsy ->
https://www.autopsy.com/ or the Sleuth Kit ->
https://www.sleuthkit.org/I've never used any of these, but it seems there is a free trial available for autopsy, and the sleuth kit is open source, free to use.