Skip to content
Log in

Retention policy

Definition

An organisation's rule specifying how long log data is stored before deletion or archiving. Policies are typically driven by compliance requirements and storage cost. Short retention windows create gaps in the forensic record when incidents are discovered late.

Related terms

Alert triage
The process of reviewing SIEM-generated alerts to determine which are genuine security events and which are false positives. In forensic investigations, alert...
Chain of custody
The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
Log correlation
The process of matching related events from different log sources using shared attributes such as IP address, username, timestamp, or session ID....
Normalisation
The process of converting log data from different vendors and formats into a common schema so that fields can be compared across...
SIEM
Security Information and Event Management. A platform that ingests log streams from multiple sources, normalises them to a common schema, and applies...

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account