Here is a lesson that I learned the hard way. When you use keyscan_start and keyscan_dump, all those keystrokes are stored in RAM on the target machine- NOT on the hard drive. I suspected as much, and upon further reading its confirmed here:
I find it incredibly dumb that the only way to retrieve those keystrokes is to manually run keyscan_dump when you feel like investigating the contents. That's not very modular, nor is it easy to build upon. This is me just being a little baby, but seriously, if we're going to make something lets make it awesome...