Synopsis: incident flow analysis
A student named Eldo Kim has been found guilty of emailing bomb threats to Harvard University buildings to delay final exams.
1. Mr. Kim connects his registered MAC Address to the Harvard wireless network and subsequently to a TOR Entry node. Logged.
2. Sends bomb threat email to Harvard officials (most likely with FBI support.)
3. They examine email headers of bomb threat showing time stamp and TOR Exit node address (Which are known publicly)
4. Comparing time stamps of the MAC connection to TOR Entry node with that of the Email header X-Originating-IP of the TOR Exit node and email header time stamp closed the gap to the offender.

Plus he admitted to it under questioning (Headslap)

I asked our attorney who said that since nobody else was likely on TOR at the time and the time stamps in the email and Wifi logs coincided at each end of the TOR network, he likely would have been convicted based upon that evidence.
He was sentenced to 750 hours community service, will pay the police for the cost of the investigation and be confined to home arrest for 4 months.

See post below about avoiding such a failure