Title	Collect email message
ID	RA2202
Description	Collect an email message
Author	@atc_project
Creation Date	2019/01/31
Category	Email
Stage	RS0002: Identification
References	https://www.lifewire.com/save-an-email-as-an-eml-file-in-gmail-1171956 https://eml.tooutlook.com/

Workflow

Collect an email message using the most appropriate option:

• Email Team/Email server: if there is such option
• The person that reported the attack (if it wasn't detected automatically or reported by victims)
• Victims: if they reported the attack
• Following the local computer forensic evidence collection procedure, if the situation requires it

Ask for the email in .EML format. Instructions:

1. Drug and drop email from Email client to Desktop
2. Archive with password "infected" and send to IR specialists by email