Someone sends a drone message on Facebook. The criminal installs a new operating system and encrypts his hard drive. They then set up a no-log VPN with a dual VPN function so that even their ISP cannot prove that they are connected to this IP.
When I say a no-log VPN, it means that the VPN provider is running its servers on RAM hard drives.
They ensure that the real IP cannot be lost (DNS leak, etc.) and set up a global kill switch so that no outgoing traffic can be carried out outside the VPN. The Facebook account has a wrong name and is set up via the VPN IP, just like the associated email.
I understand that the LEA would initiate an investigation by going to the ISP and asking for an IP address and email associated with that account. The IP and email would lead to the IP of the VPN provider.
The LEA would then go to the VPN provider and request all the information associated with that IP (connections, connected IPs, session times, customers connected to this IP).
The VPN provider cannot pass on any information, since all servers are running on RAM disks and nothing is retained. You are in a dead end at the VPN provider.
You are probably trying to do something with the email. The email gives them all the information they have about them and may even force the email provider to track this email, but it doesn't show any information that isn't classified as evidence, not even that most of the time.
To people who say "How logless the VPN really is"
I understand that many providers have been proven to lie about it in legal proceedings. For this post, let's assume that the VPN provider has been checked, its servers have been seized, and it has been proven in court that it does not keep logs. I understand that this can change at any time, but for the sake of this question, let's say they don't keep logs.