Investigations like this generally consist of three distinct phases. Phase One: Traffic Analysis reveals the location of a suspect This is usually because the suspect did not use any anonymity measures, so their IP address was logged by some LE fuckwad. The IP address by itself is not enough to get a conviction because results from traffic analysis can be misleading, but in most cases the results do point to the correct suspect. An example of when the results are misleading would be if the previously mentioned LE fuckwad logs an IP address of an open wireless access point that was used by the real target, or if they log the IP address of a proxy exit node that was used by the real target, etc. The results from traffic analysis are used to get an initial search warrant for the home of the owner of the identified IP address, as well as warrants to confiscate the computer equipment at the identified home so that they can be subjected to computer forensics. A counter measure against traffic analysis is the use of Tor. There are several techniques used though, some people use Tor, Freenet or I2P, others use http proxies, others use paid VPN services, others use Botnets, others use open WiFi access points, some people hack into the servers they access and actually delete log files, etc. Generally people consider Tor, Freenet and I2P to be the best measures for protecting from traffic analysis, VPN services are hit or miss but more often than not the VPN will only provide temporary and limited protection from an attacker, same for open proxies for the most part. Botnets are actually considered as one of the most secure ways of protecting from traffic analysis, I have even heard the Tor developers say that somebody with a botnet bigger than Tor can have protection greater than Tor can provide, so having a really big Botnet is probably your best bet for maintaining anonymity, with Tor, I2P, and Freenet coming in close second. Phase Two: Field agents raid the suspect and seize computers After identifying a suspect IP address and determining the person it is associated with, the police get a warrant and carry out a raid of the suspect. This doesn't happen in all cases though due to the limited resources of the police, in fact only a small minority of IP addresses identified as engaging in illegal activity are ever followed up on, generally sorted by the severity of the crime (ie: the more they want you the more likely they are to spend their limited resources actually raiding you etc). One of the reasons that they want to force ISPs to store logs of which customer is assigned which IP address at what time is because sometimes by the time they work through their list of identified suspect IP addresses to a certain target, they can no longer associate the IP address with a subscribers account because the ISP no longer has logs. Anyway, the way a raid is carried out will differ based upon the skill level of the raiding police as well as their own analysis of the level of security they expect you to be utilizing. If the police raiding you are not skilled they will likely simply kick your door down or knock on your door, arrest you, unplug your computers and send them to a forensics lab. If the police raiding you are skilled enough, and they think that you are using encryption, they will very likely try to obtain your computers while they are still booted up and then try to obtain the encryption keys from RAM prior to sending them to a forensics lab. There are techniques you can use to protect yourself from field agents obtaining your encryption keys during a raid, some people have hotkeys that instantly wipe encryption keys and power off the machine after they are hit, some people even make deadman switches that will wipe encryption keys and power off the machine if they do not have pressure applied to them (ie: you sit on it, and if the police tackle you to the ground your encryption keys are instantly wiped and your system shuts down), I have heard of people monitoring entrance points to their homes with CCTV cameras, and there are also technical solutions that can be attempted such as using Tresor to store encryption keys in CPU registers instead of in RAM. Phase Three: Forensic technicians analyze the seized computer attempting to gather evidence Depending on the type of investigation this step may play a critical role. In the case of drug trafficking investigations a forensic analysis of the seized computer will likely not be crucial to obtaining a conviction, the drug trafficker will likely be caught with drugs during Phase Two, or following Phase One they will be put under surveillance during which they are observed obtaining and/or sending out drugs. In a drug trafficking investigation the forensic analysis will largely be in an attempt to find addresses or names or phone numbers of contacts/customers, possibly chat logs between the vendor and his customers/supplier, and perhaps evidence of ties to a ring or similar. On the other hand, in hacking or especially CP investigations, Phase Three is often critical to secure a conviction, unless Phase Two field agents utilize techniques such as hardware keyloggers (overall rare but not unheard of and more common in bigger cases), hidden cameras (also rare), TEMPEST surveillance (I have only heard of this being used in espionage and terrorism related cases), etc, prior to a raid. In these cases I would say Phase Two has Part A and Part B, with Part A consisting of surveillance and Part B consisting of a raid. In most cases there is not a Part A, even if it would be beneficial to the investigation and to securing a conviction. Anyway, the forensics technicians will look for incriminating evidence (perhaps look for the ONLY incriminating evidence, in the case of CP investigations), they will try to build a timeline of criminal events, they will try to tie the illegal activity to a single user of the physical computer, etc. In most cases, forensics technicians are nearly completely incapable of doing analysis on a machine that has its entire persistent storage drive encrypted. They may be able to tie the MAC address of a networking card to a session used for illegal activity on a open access point, or things like this, but 99% of what they do requires an unencrypted drive to analyze. FDE almost completely removes the ability for Phase Three to be carried out, unless the encryption can be broken or the password guessed. Since many investigations entirely rely on Phase Three to secure a conviction, FDE is a major hinderance to the governments ability to prosecute certain crimes. Not everybody protects themselves from all steps of a computer based criminal investigation. I would say actually that the majority of people do nothing to protect themselves from traffic analysis, surveillance raids or forensic analysis. Of the people who do protect themselves somewhat, not all of them protect themselves adequately or completely. Some people will use a single hop http proxy as their only defensive technique, others will use FDE but they will not make any attempt to protect themselves from traffic analysis (likely the case in the investigation mentioned in the OP). The most secure people protect themselves from all phases of an investigation, often redundantly (Tor + Open WiFi, Tresor + Memory Wipe Hotkey, FDE + Truecrypt Containers). Since each phase relies on the success of the previous phase in order for it to even be initiated, it is obvious that the most important thing to protect yourself from is traffic analysis. If the attacker can not identify who you are, they can not place you under surveillance, they cannot seize your computer and they can not have forensic technicians analyze your seized computer. If you put all of your eggs in one basket, it should definitely be the anonymity basket. On the other hand, some people put all of their eggs in the encryption basket, and this has generally worked out okay for them, depending on the country they are in. Some people in the USA have had CP charges dismissed because no CP could be recovered from their encrypted drives, on the other hand we have cases where they are held in contempt of court for refusing to reveal passwords. In countries like the UK the government has made laws saying that people must give up their passwords if ordered to do so by the police, and this is so that phase three can be completed in order to secure a conviction, but phase three is never reached in cases where phase one is never completed. Also, refusing to give up your password generally results in a much lesser sentence than you would receive if you do give up your password, most people would rather be held in contempt of court and jailed for a year than convicted of possession of CP and sent to prison for some decades and labeled as a sex offender for life. Note that in more advanced investigations it might make more sense to break things apart into five distinct phases, or even to avoid a cookie cutter model like this, but in the majority of cases these are the phases that the investigation consists of.