Hello.
You need to activate Qubes’ built-in feature for ephemeral encryption of volatile and root volumes, then remount all private volume directories to /dev/shm to guarantee complete anti-forensics. This guide implements the best path for anti-forensics:
You can use full ephemeral encryption or run the appVM entirely in RAM. In the next version of Qubes, an anti-forensics feature for appVMs should appear by default thanks to the kicksecure devs: