[sinaa]

Still, as far as I understand it, it comes down to how good/competent the IT dept is at log-keeping, and how complicit they are in the forgery.

In a more broader way, how can one prove innocence if their company use the employee's credentials (ID/email/etc.) to drop the blame on them? Wouldn't it be the employees words against the employer, while at the same time the employer has the control over the data/evidence?

[rwmj]

Digital forensics professionals deal all the time with attempts at active fraud (eg. people deleting logs, clearing caches, etc). Even if the IT department didn't keep the logs, or tried to delete them, there would be some "Data remanence" on one of the various machines involved in sending/transmitting/receiving the email.

[dismantlethesun]

Do digital forensics professionals ever fail to find sufficient evidence, like their peers in the non-digital world?

[PeterisP]

Sure, but removing all traces is hard and most criminals are careless, sloppy or dumb.

I mean, if this particular case is real, someone has performed a serious crime, risking years in jail, for a comparably trivial reason and small gain - it's not an indication that the perpetrator is likely to be risk-averse, meticulous and smart.

If we were looking at a forged email as a part of a sophisticated campaign for extracting secret information or defrauding very large amounts of money, then it would be likely that the forgery is done carefully by skilled people thoroughly removing all traces - but for a reason like this? not likely. Heck, digital "intelligence ops" by major governments sometimes leave traces due to some sloppiness or carelessness, it's very hard to be sufficiently thorough.

[jamespo]

If they are clued up enough to require 2FA to send email remotely, they're clued up enough to keep logs.