Module 1: The Forensic Mindset
What You’ll Learn
By the end of this module, you’ll understand the mindset shift that turns a suspicious email from something you delete into something you investigate:
- The ripple effect of reporting — why one person’s report protects hundreds of coworkers, and how your suspicion becomes everyone else’s warning
- The invisible data every email carries — every message arrives with a trail of technical details that most people never see, but that tell a clear story about where it really came from
- The TRACE framework — a simple, repeatable process for gathering evidence from a phishing email so your team can block it, study it, and warn others
This isn’t about becoming a forensic analyst. It’s about learning to think like one for the five minutes it takes to help.
The Three-Act Arc
You’ve already met two frameworks in earlier courses. TRACE is the third act.
PUSHED taught you to notice how an email makes you feel. VERIFY taught you what to do with that feeling — step out of the message and confirm through another channel. TRACE is what you do once you know something is wrong: you stop reacting and start investigating.
| Framework | Question | Mode |
|---|---|---|
| PUSHED | “What am I feeling?” | Emotional |
| VERIFY | “Can I confirm through a separate channel?” | Behavioral |
| TRACE | “What evidence can I gather so others don’t fall for this?” | Investigative |
Each framework builds on the one before it. You can’t investigate an email you didn’t notice was suspicious, and you can’t gather good evidence until you’ve confirmed the email isn’t legitimate.
When to Use TRACE
After VERIFY confirms a fake (or can’t confirm anything), TRACE is the investigative step that turns your suspicion into evidence.