A VM would bypass monitoring software installed on devices the person uses. A VPN would obscure their traffic such that it is encrypted and not easily monitored. Even something like SSH is encrypted and not straight-forward to monitor, so a VPN isn't required to do this anyway.

A remote VM would combine both of these things, where the device/computer is in a location that isn't monitored and accessed by means aimed at bypassing controls in place. Activities carried out from the remote VM are then not monitored.

User + Devices -> VPN/other -> Remote VM -> Unmonitored Activities / Network Access

^ Monitoring is here, but may not capture the rest of the chain

Law enforcement would need to monitor the VM itself to monitor those activities, or I guess request logs from the provider if at all possible.

There's a limit to how much you can monitor someone and I assume there's a degree of good faith in cooperation with these controls. Failure to comply, seemingly, has severe consequences.

> A VM would bypass monitoring software installed on devices the person uses.

Not really, no: a VM is just another userspace application and a monitoring software should be able to capture its traffic just fine. If he was also using a VPN, tor or conneting to a remote machine that's another story, but only saying he was using a VM doesn't really mean much.

Okay, that makes sense. But the monitoring software should capture the connection request to the VPN or Remote VM?