Steps

• Boot into recovery mode and disable some of the System Integrity Protection (SIP) on Mac OS X

    csrutil enable --without dtrace
  

• Note: SIP only blocks tracing of system executables that ship with MacOS (under /bin, /Systen, etc.)

• dtrace works for all non-system executables (just make a copy)

    sudo cp $(which ping) .
    sudo codesign --remove-signature ./ping
    # verify
    codesign -dv ./ping
    sudo dtruss -t open_nocancel ./ping google.com
  	
    csrutil status
  

References

• Using dtrace on MacOS with SIP enabled
• DTrace Tools by Brendan Gregg

• lsof

    # e.g. check pid_1, pid_2, exclude pid_3 every second (-r 1)
    # for directory ~
    lsof -p pid_1,pid_2,^pid_3 -r 1 +d ~
  
    # e.g. check localhost TCP connection to ports 80~1024 and smtp
    lsof -i tcp@0:80-1024,smtp
  
    # e.g. check dev
    lsof /dev/disk5s1
  

• fs_usage

    sudo fs_usage pid
  

• Go to System Settings, Siri and Spotlight, then Spotlight Privacy
• Drag and drop (or add) directories

I added git repos, .cache, and some big plaintext data folders