If a moderator of an online forum edits my post to say something illegal, how could I prove I didn't write the incriminating message?

You're describing an attempt to incriminate you for a crime you didn't commit. This isn't unique to the Internet.

While in most countries with rule of law the prosecution needs to prove your guilt to a very high degree of certainty (e.g. "beyond a reasonable doubt" in the US), this does not mean absolute certainty. The fact that you can come up with a speculative alternative explanation of what happened is not necessarily enough to introduce reasonable doubt.

So just like in most criminal cases, a decision will be made on the specific facts of your hypothetical case. If you're talking about a major social network, the prosecution's case will be stronger than if you're talking about some guy's hobby project. If the prosecution shows that you have a history of crimes similar to the one you are framed for, that will make their case stronger as well. However, if you can show that someone with write access to your comments has a motive for framing you, that would be deadly to their case, as that shows a likely and coherent alternative explanation for the facts.

In the extreme case, though, where you're talking about a major social network and one of the database employees just decides one day to single you out for no reason and make you look like a lunatic that wants to kill the president (and he properly hides his tracks so the social network later insists you were the author), you're probably out of luck unless you can provide at least some proof. That hypothetical scenario is so far-fetched that in case it ever were to happen, no judge or jury would probably consider this a plausible alternative explanation without evidence.

While the situation you describe is very difficult for your hero, the company would have to have a hell of a reason to target your hero. Because, they only get to do that trick 2-3 times ever.

"The first time is happenstance. The second time is coincidence. The third time is enemy action." Military proverb.

The first person who claims this was done, straight faced, in open court, is an obvious liar. The second who claims it is a coincidence of liars. But the third is starting to get traction. Now the judge will be more tolerant of some exploration of this topic. People get subpoenaed, the logging system gets discussed, "how this could be done" becomes a topic of discussion. Third parties start snapshotting content from the site so alterations can be detected. The fourth time it happens, the company is caught red-handed, socially canceled, sued to oblivion, and some people go to jail for perjury and obstruction of justice in case #3.

So for this social media company to use one of its 1-2 "free shots" would require a truly extraordinary loathing from company management.

And here's the problem with that. That loathing wouldn't arise from nothing. It's gonna leave a documentation trail across social media or elsewhere in the world. It may be common knowledge among acquaintances that they had an acrimonious feud. There may be a restraining order or police records. So even defendant #1 would be able to show this to introduce doubt.

And similarly, as we certainly do know, a person doesn't get out of bed one day and decide to kill the president. Read "The Gift of Fear" by Gavin DeBecker. If they're active on social media, there'll be years of increasingly radicalized blah-blah. A conspicuous absence of such a profile makes it very much more likely to be a Joe Job by a third party.

The jury will figure that out, and so will the authorities. So their "one shot" probably wouldn't even work.

The primary evidence against you would be based on server logs or database entries of the website where the illegal information is posted. You could counter that evidence by recording logs of browser submissions on your side. There are extensions (e.g. Form Vault) which automate saving of web form submissions in your browser. It's also possible to set up a local proxy / vpn server which your browser would use, and collect the server's logs.

The degree of trust in logs from both side will likely depend on expert judgement. If the website in question is a major platform with proper security practices (automated log handling, strict access control on servers which store the logs and regular security audits), the log on your side (which you may have forged) may not be enough.

For a smaller website the degree of trust would be comparable, so having local logs would be an effective defence.

First, you would deduce that the software in question has the ability to edit public user posts without the user's knowledge. You then read through the Terms and Conditions of said service to see if this capability is mentioned or not. If it is, then your lawyer immediately asserts that someone else, without your knowledge, changed your post, and the T&C says this is possible. Bad news for social media company.

Otherwise, you issue a subpoena for the source code for said software, asserting that you need to prove that this capability, in fact, does exist. Of course, the company will fight tooth and nail to prevent this. Even worse, they can change the code to remove any such functionality before answering the subpoena. So you really need to subpoena the version control history for the software going back to before the event in question occurred (probably reasonable to ask for changes up to 1 year before the incident).

However, if you can find an insider who will simply admit that this capability exists, then you have a star witness. The larger the company, the more likely that such a person exists, and has no particular loyalty to the company (and may themselves be disgruntled). Such a person would work in Operations. You can also subpoena documents related to Sarbanes-Oxley (SOX) controls. Every tech company needs to maintain legal info on who is able to access sensitive company data or not, because the CEO needs to certify that everything works as advertised. This allows you to find out how accessible the message database is, and who has write access to it. Everyone with direct write access becomes a potential suspect.

You don't need to wade through the entire source code to make your case. You just need to find the bits that can write to the message database, and see what controls exist. Almost certainly, Operations folks will have this capability themselves, to fix urgent problems during outages. But most likely executives will also be able to order underlings to make directed changes. Pretty much every system in the world works like this without exception.

Your lawyer will not be able to prove who did it, but that's ok. What they will do is demonstrate that a large number of people have the capability of writing to the database without leaving logs of their activity, and this means that any insider is capable of spoofing you. At this point, the corporation will not want this fact to be widely publicized, so they will likely offer to settle.