What is "log retention policy" and its role in cybercrime investigations?

• A. A policy specifying how long logs are kept; important to preserve evidence and support incident timelines.
• B. A policy for deleting logs immediately after incident.
• C. A policy on how to log only failed attempts.
• D. A policy that logs are stored only in one server.

Answer: (A)

Log retention policy describes how long different logs—such as system, security, and application logs—are kept, where they are stored, how they’re protected, and when they’re disposed of. In cybercrime investigations, this policy matters because logs provide the timeline of events: who did what, when, and from where. Having an explicit retention period ensures investigators can access historical activity long enough to reconstruct the incident, verify statements, and establish a reliable chain of evidence. It also supports regulatory compliance, audits, and forensic analysis by helping preserve data integrity and ensuring logs remain accessible and tamper-evident.

If logs were deleted immediately or kept only in one place, crucial evidence could be lost or compromised, hindering investigations. Additionally, restricting logging to only failed attempts misses a lot of relevant activity that helps piece together what happened. A robust policy typically balances different log types, storage costs, and legal requirements while ensuring protection and proper backups so evidence remains usable over time.