Yeah, the lawyer who was doing our training just left it at 'keep it as long as you can'. Doesn't have to be forever per se, just as long as it's financially and technically viable for your company, and if you got rid of it you had better have good reason (preferably documented). Of course he was talking about more than just forensics, he was talking about any data that could be used in any kind of legal proceedings ever. Basically so you don't pull an Arthur Anderson (think enron accounting) and start shredding docs or ditching data in some suspicious manner.

As for the md5 +sha-1 thing, the advice I got was to use both. This is to remove doubt about the file integrity and the possibility of hash-collisions. Just getting rid of more lawyer doubt about your evidence.