They're going to freeze the whole data center? It's rack after rack of machines that the traffic could have passed through, right? And if they're not logging IPs to RAM then they only have a fraction of a second to get the right one before the register is overwritten with the next user's info.
You do need to know where to send the user's return traffic, so you'll need a table ultimately comprising mappings of network flows to end-user addresses. Of course, once the flows close you don't need to retain this information. In practice, you'll also need information about all currently-open VPN sessions.
If the feds have physical access and considering the high likelihood that these are VMs and not physical, it would be a whole lot easier to get the hypervisor to just snapshot the VM w/ its memory and perform forensics against that file(s).