A VM would bypass monitoring software installed on devices the person uses. A VPN would obscure their traffic such that it is encrypted and not easily monitored. Even something like SSH is encrypted and not straight-forward to monitor, so a VPN isn't required to do this anyway.
A remote VM would combine both of these things, where the device/computer is in a location that isn't monitored and accessed by means aimed at bypassing controls in place. Activities carried out from the remote VM are then not monitored.
User + Devices -> VPN/other -> Remote VM -> Unmonitored Activities / Network Access
^ Monitoring is here, but may not capture the rest of the chain
Law enforcement would need to monitor the VM itself to monitor those activities, or I guess request logs from the provider if at all possible.
There's a limit to how much you can monitor someone and I assume there's a degree of good faith in cooperation with these controls. Failure to comply, seemingly, has severe consequences.
> A VM would bypass monitoring software installed on devices the person uses.
Not really, no: a VM is just another userspace application and a monitoring software should be able to capture its traffic just fine. If he was also using a VPN, tor or conneting to a remote machine that's another story, but only saying he was using a VM doesn't really mean much.
It's possible to pass PCI devices directly to the VM at which point they don't exist as far as the host OS is concerned. You can pass an entire USB hub to the VM and anything plugged into it is invisible to the host OS (at least by default).
Ok, but you certainly need root privileges to do that, in that case you could bypass the monitoring software in many other ways.
Okay, that makes sense. But the monitoring software should capture the connection request to the VPN or Remote VM?