I'll try to answer your questions in a different order. What does altering a file mean ?
Altering means whenever you modify and update the content of the file (modify in linux). If we look at ntfsundelete source code we can clearly see what the authors have marked as alter:
ntfsundelete.h line 72:
time_t date_a; /* altered */
ntfsundelete.c line 1002, 1045:
name->date_a = ntfs2timespec(attr->last_data_change_time).tv_sec;
last_data_change_time is also explained in linux/fs/ntfs/inode.c line 674:
* mtime is the last change of the data within the file. Not changed
* when only metadata is changed, e.g. a rename doesn't affect mtime.
*/
vi->i_mtime = ntfs2utc(si->last_data_change_time);
Question nr. 2:
List of actions that change a directory modification time:
Linux
Windows
Question nr.1:
No, deleting a file does not count as altering it. So if you created a file more than two days ago and didn't change it until yesterday when you deleted it the command won't be able to recover it.
Here is a test on my NTFS partition. I had three .jpg files with mtime as follows:
- brr.jpg 2012-05-21
- IMG_2001.JPG 2012-05-21
- s640x480.jpg 2011-03-18
I modified IMG_2001.JPG with MSPaint and saved it so modification time changed to today: 2012-08-26. I then deleted (SHIF+DELETE) all three files and rebooted in Linux.
Running ntfsundelete without --time switch (altered time not taken into account) prints out a long list of files starting with the above three files:
ntfsundelete /dev/sda1 -m '*.jpg'
Inode Flags %age Date Size Filename
---------------------------------------------------------------
72801 FN.. 100% 2012-05-21 1055334 brr.JPG
72822 FN.. 100% 2012-08-26 1034072 IMG_2001.JPG
72826 FN.. 100% 2011-03-18 52333 s640x480.jpg
..... .... .... .......... ....... ............
Files with potentially recoverable content: 1631
Running ntfsundelete with --time d1 switch (so for files altered in the last 1 day) prints out only one file, namely the one I have just modified before deleting all three of them:
ntfsundelete /dev/sda1 -m '*.jpg' -t 1d
Inode Flags %age Date Size Filename
---------------------------------------------------------------
72822 FN.. 100% 2012-08-26 1034072 IMG_2001.JPG
Files with potentially recoverable content: 1
It sounds like you've hit a file with a funny name, and xargs is treating it as two files. The best approach is to rework your find to deal with all names safely:
find . -type f -name '*.sql' -exec grep -i 'texttolookfor' '{}' +
This uses the find --exec COMMAND + syntax instead of xargs. You could also use -print0/xargs -0 (if that works on OS X, not sure), but there isn't really a reason to, unless you need other xargs features.
Finally, if OS X grep supports it, you can use -- to indicate end-of-options—it'd go before the '{}', above—though this really shouldn't be needed with find (since the found files always begin with ./)
Best Answer
A whiteout is a special marker file placed by some "see-through" higher-order filesystems (those which use one or more real locations as a basis for their presentation), particularly union filesystems, to indicate that a file that exists in one of the base locations has been deleted within the artificial filesystem even though it still exists elsewhere. Listing the union filesystem won't show the whited-out file.
Having a special kind of file representing these is in the BSD tradition that macOS derives from: macOS uses
st_modebits 0160000 to mark them. Usingls -F, those files will be marked with a%sign, andls -Wwill show that they exist (otherwise, they're generally omitted from listings). Many union systems also make normal files with a special name to represent whiteouts on systems that don't support those files.I'm not sure that macOS exposes these itself in any way, but other systems from its BSD heritage do and it's possible that external filesystem drivers could use them.