[dylan604]

All this would do would be to lead the investigation to get a warrant/subpoena to have the VPN service provide user details about the account and anything else relevant like logs. This is where the "we don't log shit" bullet points comes into play as well as running only from RAM. If the warrant allows for removal of hardware, all data is lost once power is removed. LEOs would have to bring lots of batteries.

[throwmeaway2232]

or liquid nitrogen. https://en.wikipedia.org/wiki/Cold_boot_attack

[nerdbert]

They're going to freeze the whole data center? It's rack after rack of machines that the traffic could have passed through, right? And if they're not logging IPs to RAM then they only have a fraction of a second to get the right one before the register is overwritten with the next user's info.

[mlyle]

You do need to know where to send the user's return traffic, so you'll need a table ultimately comprising mappings of network flows to end-user addresses. Of course, once the flows close you don't need to retain this information. In practice, you'll also need information about all currently-open VPN sessions.

[bgm1975]

If the feds have physical access and considering the high likelihood that these are VMs and not physical, it would be a whole lot easier to get the hypervisor to just snapshot the VM w/ its memory and perform forensics against that file(s).