0
In this scenario, all the email activity was done with Outlook clients and MS Exchange.
I got an mail from B that includes a forwarded chain which suggests that B was authorised by C to take an action. B wants me to trust this chain as proof he was acting on something with approval. However, I am sceptical and C is adamant that he never sent B the mail that has been forwarded.
In C’s email account there is no trace of a request from B, no trace of a reply from C, and no trace of any deletion. While that is not proof, there is no reason whatsoever why C needs to conceal this. I suspect that B has copied a previous approval request email for a similar event, but edited the date and time it was sent to C, hoping to cover this latest event. I fear he has also created a fake reply from C and then forwarded this all to me as “proof”.
Can the email headers show that the alleged “ask-reply” chain did not really happen at the time and date that B has tried to represent? Is there any other technical indicator that will show the real provenance of B’s forwarded email chain?
4In short: you can not. – Máté Juhász – 2017-12-09T08:58:19.790
If the communication between B and C used DKIM, you could find the unique signatures that B reused or prove that the messages from C are invalid due to wrong signature. Otherwise you can't prove anything like @MátéJuhász says. – Marek Rost – 2017-12-09T09:07:54.607