[AusNOG] Metadata retention... it's now (almost) a thing

[Ross Wheeler]

> only reason I could see them needing the raw logs is if it is required for 
> evidence in prosecution (have had AFP agents fly in to pick up some form of 
> evidence before from a colleague in a previous job).

Fly, or drive - for what seems stupidly long times (two officers drove 
Sydney to Albury to collect some evidence from me). I believe it has a lot 
to do with the preservation of evience integrity. They had to observe it 
being extracted, copy and certify, then keep it in their posession 
(presumably only until it got back to the office and into evidence locker 
or something).

I still don't see how they (think) they can guarantee any logs extracted 
from a system haven't been "fiddled with" before they get there. It would 
be a trivial task and I should think it would be either undetectable or 
impossible to prove it was either valid OR tainted.