In the world of terminal recording, asciinema is the undisputed king. It’s modern, it uses JSON, it’s web-native, and it’s everywhere.

So, why on earth did I build PentLog on top of ttyrec—a format from the year 2000 that smells like old C code and despair?

It wasn’t nostalgia. It was a tactical decision for Evidence Integrity.

The JSON Trap

Asciinema (v2 format) logs are essentially a list of JSON arrays (lines of text). It’s clean and easy to parse.

But here’s the nightmare scenario for a Red Teamer or Sysadmin: You’re in a critical root shell. You’ve been gathering evidence for 3 hours. Suddenly—kernel panic, OOM killer, or the connection just dies hard.

If the recorder process crashes before writing the closing JSON structure or flushing the buffer properly, you might end up with a malformed file. Sure, you can repair it, but in a forensic context, “repaired” logs are suspect logs.

The Raw Stream Power

ttyrec is raw. Beautifully raw. It’s just a stream of: [sec] [usec] [len] [buffer]

It appends raw bytes to the file as they happen. If the process gets kill -9’d instantly? You still have every single byte up to that millisecond saved on disk. No closing tags, no valid JSON structure required.

You can cat a half-written ttyrec file and it will still play. That is evidence integrity.

The Modern Wrapper (Golang)

The problem with ttyrec isn’t the format; it’s the tooling. The original ttyrec binary is clunky, has dependency issues, and doesn’t do anything but record.

That’s where PentLog comes in.

I used Go to wrap the robust ttyrec format with modern capabilities:

  1. Signal Handling: We just fixed a nasty SIGTTIN bug in v0.14.0 that caused shell hangs. Managing process groups in Go is tricky, but essential when you’re wrapping a PTY.
  2. Metadata: We store session metadata (user, host, timestamps) separately or in a custom header, keeping the raw stream pure.
  3. Search & Replay: We parse the raw stream in memory to allow full-text search (TUI) and native GIF rendering without touching the original evidence file.

Conclusion

Old tech isn’t always “legacy debt”. Sometimes it’s just battle-tested.

When your job depends on proving what happened in a shell no matter what happens to the machine, you don’t want a format that needs to “close gracefully”. You want a format that survives the crash.

That’s why PentLog uses ttyrec. We just gave it a modern suit of armor.

(P.S. If you dig this “Evidence-First” philosophy, tactical support on the repo is always appreciated.)