[sinaa]

+ Shrugging-off an act of felony being committed.

Nevertheless, it does pose a more general question. Given that in many workplaces the employer has access to your work email/account, how can one prove that he/she did not send a particular email?

[PeterisP]

How does one prove that he/she didn't sign a paper document that has as signature looking like yours?

You don't, that's up to the police, prosecutors and forensics experts to handle.

[rwmj]

There's a large amount of information generated when you send an email, and a whole branch of IT (digital forensics) with many dedicated professionals who deal with such things routinely.

Even though I only worked peripherally with digital forensics people, and I know a lot about how email/computers/networks work, I know enough to know that I could never get away with forging an email (especially not one where anything serious depended on it).

[sinaa]

Still, as far as I understand it, it comes down to how good/competent the IT dept is at log-keeping, and how complicit they are in the forgery.

In a more broader way, how can one prove innocence if their company use the employee's credentials (ID/email/etc.) to drop the blame on them? Wouldn't it be the employees words against the employer, while at the same time the employer has the control over the data/evidence?

[rwmj]

Digital forensics professionals deal all the time with attempts at active fraud (eg. people deleting logs, clearing caches, etc). Even if the IT department didn't keep the logs, or tried to delete them, there would be some "Data remanence" on one of the various machines involved in sending/transmitting/receiving the email.

[dismantlethesun]

Do digital forensics professionals ever fail to find sufficient evidence, like their peers in the non-digital world?

[PeterisP]

Sure, but removing all traces is hard and most criminals are careless, sloppy or dumb.

I mean, if this particular case is real, someone has performed a serious crime, risking years in jail, for a comparably trivial reason and small gain - it's not an indication that the perpetrator is likely to be risk-averse, meticulous and smart.

If we were looking at a forged email as a part of a sophisticated campaign for extracting secret information or defrauding very large amounts of money, then it would be likely that the forgery is done carefully by skilled people thoroughly removing all traces - but for a reason like this? not likely. Heck, digital "intelligence ops" by major governments sometimes leave traces due to some sloppiness or carelessness, it's very hard to be sufficiently thorough.

[jamespo]

If they are clued up enough to require 2FA to send email remotely, they're clued up enough to keep logs.