My girlfriend has a external hard disk with 10 years+ of photos, documents and more. A lot of these files originate from her old iPhone 5 and her MacBook. The hard disk itself is NTFS Format. Since the disk is so old, it turns into a hazard of data loss (what an irony).
As we tried to upload all the files into OneDrive to store them safely, we got 1,000s of errors because of invalid file names. I realized that many files started with ._, e.g. ./pic/92 win new/iphone/._IMG_1604.JPG. I don't understand macOS and why files should be named like that, but for sure you can never get them into OneDrive like that.
So I decided to hook it to my Raspberry Pi and rename all files with the wrong characters from the command line. After listing the nearly 10,000 files, I ran the following over the whole hard disk.
find . -name "._*" | sed -e "p;s/\._//" | xargs -d '\n' -n2 mv
Furthermore, I removed some leading whitespace in filenames with zmv.
I tried the command in a test environment first and it looked fine. But I didn't check the file size.
After my girlfriend connected the hard disk back onto her Mac, all renamed files show a file size of 4KB (empty)! I screwed it up and I don't know how.
I assume the data is still there, but I somehow screwed the filesystem.
Does anybody understand what I did wrong? More importantly, do you see a chance to recover the files? I would appreciate any advice.
Best Answer
As mentioned by terdon, when writing to a "foreign" filesystem, Mac OS uses two filenames for each file. One with the actual contents and a second one with metadata that would have been stored in the resource fork. You renamed the metadata filename to the content filename, thus deleting the content file in the process.
However, I slightly disagree with his that the originals were overwritten. The data should be in the disk (I hope it's not a ssd), but you no longer have a filename to them, and the clusters will be marked as free space.
If the files were uploaded into OneDrive, you already have a copy there. An advantage here is that you have the full list of filenames that were originally in the disk. If you don't, continue reading.
First of all, before doing any further recovery on the disk, you should make a copy and work with that, e.g. with
dd. This way, you avoid making things worse during a recovery attempt, since you would be working on a copy of the data.Second step would be to attempt recovery with a tool like ntfsundelete, trying to recover the deleted entries.
Third, since these files were presumably copied in full from a different system, I expect the files wouldn't (generally) have been fragmented, but using sequential blocks, so it will probably be possible to recover most of them through file carving.
In that case, a tool like photorec should be able to find most of the photos, even with no access to the filesystem metadata.
Finally, remember to back up what you might recover!
Good luck