Module 2: T — Take a Snapshot
You were told to "just delete it" or "report it and move on." Both pieces of advice skip the only step that actually helps anyone: preserving the evidence before it's gone.
What You’ll Learn
Module 2 is the hands-on half of TRACE. You’ll learn the small, concrete actions that turn a suspicious email into a useful report:
- Why deleting destroys evidence — the headers, authentication results, and real link destinations all disappear the second you hit the trash icon, and none of it comes back
- Screenshots that help vs. screenshots that hurt — what a SOC analyst actually needs to see, what to blur, and the hover trick that captures the link destination attackers try to hide
- The one button that preserves headers — “Forward as Attachment” is buried in sub-menus for a reason, and it’s the single most important skill in this entire course
Modern AI makes fakes look perfect, so spotting them is only half the job. Preserving them correctly is the other half — and it’s the half that gets infrastructure taken down.
Why T Comes First
TRACE is ordered. The T — Take a Snapshot — comes before everything else because every other step depends on it. You can’t read headers you deleted. You can’t decode links you already sent to the trash. If you get T right, the rest of TRACE is mechanical. If you skip it, there’s nothing left to investigate.