br945,
I feel your pain, no one seems to be answering your question.
No, if you've already tracked back to the original node [read IP/network] which was responsible for generating the e-mail, and the owner of said node is not responsible, there are not any other ways you could use the header to determine more accurately who was responsible for generating the e-mail. If a wi-fi connection existed on that node and it was unsecured, someone could have very easily accessed it and sent the e-mail and, assuming the AP does not generate logs, it would be untraceable.
Hypothetically, if the access point/router/gateway/whatever did generate logs and you would able to pinpoint the specific connection which generated the e-mail using date/timestamps, you would get the MAC address of the computer's wireless NIC and [possibly] the hostname of the computer. If the person was smart, they'd use a PCMCIA Wirleless NIC and simply discard it after they were done and there would go the MAC link.
Another hypothetical - if you suspected an individual in particular, you could do a forensic analysis of their machine and possibly identify artifacts related to the sending of the e-mail. But this would work in reverse..ie. only after you have someone in custody and would not allow you to identify someone before then, as you seem to want to be able to do here.
You could always go the circumstantial route - if you have the IP address of where the e-mail came from (assuming it wasn't spoofed), and the date an time the e-mail was sent, then you could use other means to determine who the perp was. For example, if the IP address was from a gated residential area or a business, maybe there were cameras which recorded who was in the area at the time. Or maybe knocking on doors in the area would lead to someone remembering a suspicious car parked outside or maybe it was a neighbor, etc. Like I said, circumstantial, but it's a route.
Jeff
Jeff thanks for covering the points exahustively. i have given a more general response in a separate message above.
thanks.
As said earlier, the PC owner and his PC have been proven to be clean. PC not left alone either so bad guy was not in physical control of that PC.
It doesn't seem to have been mentioned, but you should establish that the full traceback by headers is genuine, and not faked at any point.
If you send a mail with a fake history (a, b, c) to an open SMTP-server (d), it will keep your faked history, and only add its own (correct) entry to it. This is (or at least used to be) quite common with spam mails. Of course, the open mail server is chosen well – it must not log so much information in the header that the faked history (the step from c to d) becomes obvious. In such a case, investigating source 'a' is a waste of time. Looking at separate mail logs from 'd' may show the discrepancy.
That is, it probably becomes a question of economy how far the investigation can be carried.