How to forward a forensic copy of an email as an attachment
Step-by-step instructions on how to many popular mail and webmail clients to properly forward emails as attachments with forensic headers intact
How to forward a forensic copy of an email as an attachment
If you receive a fraudulent email, can be very useful to send a full forensic copy to an organization that is being spoofed, industry partners, and law enforcement.
When a user clicks forward in a mail client, the client copies the message’s content and attachments to a new message. The original message headers are not included.
In order to send a full forensic sample that includes the original message headers, the original message must be sent as an attachment in a new message. The process for doing this varies by mail client.
AOL webmail
- In the list of emails in your in inbox or folder, right click on the message (not in the message itself)
- Click View Message Source
- Select the entire raw message content, copy it, paste it into an empty text editor, and save the file with a .eml file extension
- Attach the file to a new email, and send it
Apple Mail on macOS
- Right click on the message in the list of messages
- Click Forward as Attachment
- Fill in the To field, and click send
Gmail/Google Workspace webmail
- Open the message
- Click on the three vertical dots in the upper right
- Click Show original
- Click Download Original, save it, and send it as an attachment in a new message
GoDaddy and Rackspace webmail
- Open the message you want to forward. To forward multiple emails, instead of opening an email, use the checkboxes to select the emails you want to forward.
- In the top right corner of the page, click the More Actions menu.
- Select Fwd. as Attachment.
- Click Apply. A new email is created with a
.eml
file attached. - When the rest of the message is ready to go, click Send.
GroupWise
- From the GroupWise item list, select the e-mail(s) you wish to forward (multiple messages can be selected with Shift-Click, Ctrl-Click, etc.)
- Select the Action Menu
- From the Action Menu, select the “Forward As Attachment” Item
- Fill in the To field, and click Send
Notes
- Open the email
- Save it to a file by going to the File > Save As menu item
- Attach the file to a new email and send it
Outlook.com/Office 365 webmail
- Open the web mail in two browser windows
- Create a new email in one browser window
- In the other browser window, drag the email you want to attach from your email list, and drop it in the blank email
- Fill out the To field, and click send
Outlook for macOS
- In the messages list, right click the message you want to forward
- Click Forward As Attachment
- Fill in the To field, and click Send
Outlook for Windows
- Create a new email
- Drag the message you want to forward from the messages list and drop it in the blank message body
- Fill in the To field, and click Send
ProtonMail webmail
- Open the message you want to forward
- Click on the down arrow, to the tight of the forward button
- Click Export, and save the decrypted email
- Create a new email, and add the exported email as an attachment
- Fill out the To field, and click send
Thunderbird
- In the messages list, right click on the message you want to forward (or select multiple messages and then right click)
- Select Forward as attachment
- Fill in the To field and click Send
Windows 10 Mail app
- Open the message
- Click on the three horizontal dots in the upper right
- Click Save As, and save the email as a file
- Attach the saved file to a new email, fill in the To field, and click send
Yahoo webmail
- Open the the message
- Click on the three horizontal dots in the upper right, and click View Raw Message
- Select the entire raw message content, copy it, paste it into an empty text editor, and save the file with a .eml file extension
- Attach the file to a new email, and send it
This post is licensed under CC BY 4.0 by the author.