Every now and then it can be useful to track how a program or process is accessing the hard drive. There are times when troubleshooting when you may want to track what files get changed when application settings are adjusted, or which files are accessed when you load a particular feature. Apple provides the Activity Monitor utility that will show you the overall input and output rates of the hard drive, but this overview does not specify the files that are being accessed.
While there are numerous ways to monitor hard-drive activity and usage in OS X, I've found that the following three options seem to work very well for identifying specific files that are updated by program activity.
Oddly enough, the Finder or another filesystem browser can be exceptionally useful in isolating files that are updated by programs. When a file is edited its modification date will change, so if you suspect a particular file holds a specific system setting then you can go to that folder in the Finder and sort items in list view by their creation dates.
After doing this, keep the Finder window open and monitor the creation date values when toggling your setting of interest. If a file in the present folder is altered by the settings, then you should see it go to the top of the list and be updated to reflect the new creation date. Sometimes when doing this it helps to wait at least a minute between invoking setting changes so you can clearly see a time change in the file's modification date (the Finder by default only shows date changes to the nearest minute).
While the Finder is a useful tool, it is fairly limited in that it will only show you when a file has been changed and not when it's accessed, and it will also only do so for the files in a single directory. You can sometimes get creative and lucky by using smart searches and other Finder features to expand these limitations, but overall it is still a rather crude approach.
Instead of using the Finder, a few third-party applications are available that can really help determine when files are being accessed. The one I use the most, called Fseventer, builds a graphical filesystem tree of the files and folders that have been accessed after a given point in time. The utility is fast and shows all filesystem events, including those in hidden files and even temporary files.
To use the utility, just open it and then go to the application or setting you wish to test. Click the Play/Go button at the top of Fseventer's window and the program will start monitoring filesystem events. Then perform the action you are interested in and watch the Fseventer window to see what files are accessed. After this, to prevent Fseventer from showing activity from other processes, go back and click the Play/Go button again.
While Fseventer is an exceptionally useful program, it does rather blindly target all filesystem events, so if in the middle of your monitoring session the system performs a MobileMe synchronization or other similar action then you may see the window fill up with events that are not associated with the events you are monitoring. Therefore it may be useful to repeat monitoring sessions several times with Fseventer to confirm that the files being accessed are correct.
Finally, in addition to the Finder and Fseventer, you can use the Terminal command "fs_usage" to show filesystem events. This uses the same underlying technology as Fseventer, but can be used to isolate the filesystem events that were invoked by a certain process name or id. To use the fs_usage command, you will need to do the following:
Open the Terminal utility
Type the following into the Terminal:
Optionally type an additional space followed by the name of the application you are monitoring. In the case of iCal, for example, the command would look like the following:
sudo fs_usage iCal
After the command is typed, press Enter and supply your password (this must be done from an Admin account) and the command will output to the Terminal window each time the program performs a filesystem access operation. This is a basic use of the command, but if you read the manual page for the command you can supply flags and options to further specify the type of events the command will monitor. When you want to quit the process in the Terminal window, just press Control-C.