Crash Recovery¶

Protect your evidence from unexpected session terminations.

How It Works¶

PentLog tracks session state with a heartbeat mechanism:

Session State Tracking — Each session is active, completed, or crashed
Heartbeat — Updated every 30 seconds during recording
Stale Detection — No heartbeat for 5+ minutes = crashed
Startup Warning — Any pentlog command warns about crashed sessions

Session States¶

State	Description	Indicator
`active`	Currently recording
`completed`	Ended normally
`crashed`	Terminated unexpectedly

Detecting Crashed Sessions¶

Automatic Warning¶

On any pentlog command:

$ pentlog sessions

⚠️  Warning: 1 crashed session(s) detected.
   Run 'pentlog recover' to review and recover them.

List Crashed Sessions¶

pentlog recover --list

Recovery Options¶

Interactive Recovery¶

pentlog recover

Menu options: - List crashed/stale/orphaned sessions - Recover specific session - Recover all crashed sessions - Mark stale sessions as crashed - Clean up orphaned entries

Recover Specific Session¶

pentlog recover --recover 42

Recover All Crashed Sessions¶

pentlog recover --recover-all

Mark Stale as Crashed¶

pentlog recover --mark-stale

Clean Orphans¶

Remove database entries with missing files:

pentlog recover --clean-orphans

Common Scenarios¶

SSH Disconnect¶

# SSH drops during 4-hour exam
# Reconnect and run any pentlog command
$ pentlog sessions

⚠️  Warning: 1 crashed session(s) detected.

# Recover the session
$ pentlog recover
✓ Session 42 recovered successfully

# Session is now usable
$ pentlog replay 42

System OOM Kill¶

# Process killed by out-of-memory
# On next pentlog command, session is marked crashed
$ pentlog recover --recover-all
✓ Recovered 1 crashed session(s)

Power Failure¶

# Power loss during recording
# After reboot, session is marked crashed
$ pentlog recover
# Review and recover as needed

Recovery Workflow¶

Crashed Session Detected
        ↓
   pentlog recover
        ↓
   Review Sessions
        ↓
   Recover Selected
        ↓
   Session Usable

What Gets Recovered¶

Recovery ensures: - TTY recording preserved - Metadata intact - Notes and vulnerabilities saved - Searchable in database - Exportable to reports

Prevention Tips¶

Stable Connection

Use tmux or screen on remote systems to survive disconnects.

Regular Exports

Export reports periodically during long engagements.

Monitor Resources

Watch memory usage to avoid OOM kills.