CBRN Warfare and the Collection of Useful Evidence

Allegations of the use of chemical, biological, or radiological weapons or materials are occasionally made during conflicts.  Establishing actual facts on the ground after an alleged incident is particularly difficult due to the physical properties of such devices and weapons.  Collecting evidence in such circumstances is simultaneously very important, potentially hazardous  and very difficult. Establishing the who and the why  in this situation will be made much easier if the what and the how are established.

No reader should take this paper as any inducement or provocation to go out and attempt to collect evidence on their own.  It can place you in a dangerous position. The primary purpose of this paper is to explain how difficult these things are.  Furthermore, an ill-considered attempt to do so may end up in someone risking life or health to collect some shred of material of limited value, if the collection, handling, and storage of that material is done in a slipshod manner.  I would not countenance risking life or health for collection of samples, particularly if the evidence turns out to be of dubious value.  Please see my disclaimers.

Not every sample has evidentiary value.  A sample can be taken in ways that makes its use as evidence improbable or impossible.  Also, samples that are useful evidence may be of insufficient quality to be useful in legal proceedings, i.e. evidence that is of forensic value.  There is a wide continuum of material ranging from “some stuff some guy found somewhere” ranging to “useful evidence properly collected, handled, and stored, of quality good enough to use in court.”  The burdens and barriers between the two ends of this spectrum are non-trivial.

This paper is not meant to replace any practical guide or manual.  I strongly suggest that readers seek out the works of Steven C. Drielak, who has written several works in this area that I consider to be canonical references.  Also, there are numerous safety precautions that need to be observed.  This type of investigation poses many dangers to life and health, and I do not have time to list them all or to advise the necessary precautions and countermeasures.  Nor do I have time to provide a basic overview of fundamental forensic procedures.  These can be found in many references.

Safety and Health:

If we are talking about chemical, biological, or radiological warfare materials, then we are talking about things that are potentially hazardous to life or health.  Both the scope of potential hazards and the types and methods of protection that may or may not be available to a possible evidence collector are far too broad to discuss in such a short paper.  We are talking about dangerous substances which need to be handled correctly.  I can only hope to provide approximate and general guidance, which is as follows:

• “CBRN Kit” isn’t one thing – Stuff that protects you against chemical warfare agents may or may not be of use against, say, radiological threats.  The equipment you use needs to be sufficient to the job.
• Select the right protective equipment for the job.  Masks and gloves are fine for some types of hazards.  But some things can be absorbed through the skin, so some circumstances need full head to toe protective clothing.
• Unexploded ordnance is too dangerous to touch or handle without specialty assessment.  Just because something didn’t explode when it was supposed to doesn’t mean it isn’t going to explode later, or when you touch it.  Or in three days in your hotel room.
• Many bad things have delayed effects.  Just because a vapor, gas, liquid, or powder doesn’t cause immediate signs/symptoms, it doesn’t mean that it isn’t harmful.  Remember, nearly every fatality from chemical warfare in the First World War came from materials that had delayed effects.
• Dust masks and surgical masks are good for some things and not others. DO NOT rely on such a mask in chemical circumstances.
• Do not risk your life for a sample.  Some possible samples may be too dangerous to collect with the equipment and experience that you have on the spot.

Procedural Considerations and Practical Concerns:

Whether or not some piece of matter is useful as evidence or not has an awful lot to do with procedural matters.  This section of this paper is intended as a rough guide to trying to steer “some stuff I found” into “proper sample” into “evidence” and, ultimately and hopefully, into “evidence of useful forensic quality”.  Again, I steer readers to established reference on this subject, as all I can hope to do here is to provide the roughest of rough guidance in plain language.

The best way to envisage “integrity of the evidence chain” is to imagine that you have the world best and most expensive defense lawyer protecting the person who is accused of whatever deed you are investigating.   This lawyer is going to question every step of the collection and handling of the evidence and probe everything you did, with a view of sowing doubt about whether or not the particular bit of evidence is useful or not.  A good defense lawyer is going to try to have a judge throw out evidence as “unadmissable” – and you need to anticipate as many of the “let’s get the evidence thrown out” tactics as possible.  The following paragraphs are a basic attempt to cover some of this complex subject, in the form of example questions and possible answers.  By looking at these Q’s and A’s – you can see how a well-trained and well-equipped investigator can do this properly.

Tying a sample to a specific place and time: You have a bag of, say, soil and shell fragments.  You collected this on Monday at 9 am at a specific place. But how do you prove it?

Q: The lawyer is going to ask: “How do we know this is the bag you say you collected at 9am on Monday at Place X.”

A: “Because I kept a list of the evidence I collected.  I numbered the bag with a unique number.  This bag of soil and fragments is ‘Sample 12’ – and it says that on my list, with a description of where and when I collected it.  There’s a tag on the bag that says Sample 12.  I also have video and still photos of me collecting this sample, and those images show the clear marking on the sample bag.

Integrity of the container:  Container integrity refers to whether or not you used the right way of storing material.  Have you used the right item for the job?  How do you know that something has escaped from the container?  How do you know something hasn’t been added to the container? There are both physical and administrative ways to deal with this.  Back to our example of the

Q: “How do you know that nothing was taken out of or put into the bag that has these shell fragments.”

A: “I used a special bag.  It has a unique seal with a unique tracking number. If someone had tried to open the bag, the seal would have broken or I would have seen evidence of tampering.  The bag’s tracking number is the same as on the list where I wrote it down when I took the sample.”

Chain of custody: It is a long time after the incident.  How do you prove that the bag of soil and fragments is the same one that you collected?  Has it been out of your hands for a minute in the intervening days, weeks, months?  A chain of custody is an administrative countermeasure to concerns about where the material may have been.  A good chain of custody shows who had custody of a piece of evidence from the time it has been collected.  There should be no gaps or periods of time where nobody had custody of the material.

Blanks:  The use of “blanks” is both a technical and procedural safeguard to help prove the integrity of your processes.  There are several kinds of blanks, and various nomenclatures for them.  I will give an example:

You are going to use glass sample jars to keep solid and liquid samples collected in the field.  You have procured a number of sterile jars.  Some of these jars, picked at random from the lot of jars that you bought, need to be left in the laboratory.  These that you leave in the laboratory can be tested after the operation to ensure that they are actual truly sterile. In addition, some of the jars should be taken out to the field but not used.

Sterility: How do you know that there wasn’t already something in the bag/jar/vial that you used?

Q: “How do I know that there wasn’t already Sarin in this sample jar before you put the fragments of the rocket in it?”

A: “First, I used fresh clean gloves from the packet before I handled the fragments.  Second, I used a certified sterile sample jar. We have the certificate of sterility from the manufacturer, who can provide you information on the sterilization process that they use.  I used a sterile plastic spoon to collect the sample, and you can see I also submitted that spoon as evidence as well.  You can see me on the video opening the wrapper of the jar, then opening the jar, and then placing the fragment into the jar.  You can also see where I closed the jar and placed a unique numbered seal on the lid of the jar.  We have also kept sample blanks – we submitted a jar from the same lot of sample jars for analysis, and we did the same with the sampling spoon. But we never opened the package, but this jar made the same trip out to the field with us.  The lab analysis of this ‘trip blank’ jar shows that no contamination was in it and it remained sterile.  By analyzing the contents of this ‘trip blank’ we also know that we can have confidence in both our field and laboratory procedures.

Cross-contamination: Cross-contamination is basically what occurs when you accidentally spread something bad from one place or one thing to something else.  An example would be if you wear some gloves to pick up a shell fragment that has chemical residues on it.  This is fine for picking up the one shell fragment, but any other shell fragment or anything else you handle after it may have contamination transferred to it.   The same thing happens with tools – a shovel can spread contamination as easily as dirty gloves.

Consistency:  Wherever and whenever possible, attempt to collect samples of relatively standard size.  This will make it easier to do one-to-one like-for-like comparisons.  If you are swabbing a floor, for example, use a template to make sure that each time you are swabbing a similar amount of the floor surface.  Use a new template each time – even a plain piece of paper with a 10 cm x 10 cm hole in it can be used as a template.

Your equipment is also evidence: Your boots and gloves are likely to contain samples of investigative interest.  They become part of the evidence.  A positive test on your protective clothing, for example, indicates that somewhere along your journey that day, you were exposed to the material in question.

Background Readings: Wherever and whenever possible, it is very useful to collect background samples from areas close to the area of concern, but not obviously affected by the problem you are investigating.  This will help collect good background information

Q: You say you found anthrax spores in the soil.  But anthrax is a naturally occurring disease.  How do you know it wasn’t already there.

A: We collected soil samples in 5 areas where there was no obvious indication of having been involved in the suspected attack.  We analyzed those samples, and found no anthrax in them.

Summarizing some Best Practices:

• Exchange gloves between samples.
• Document everything you do.  Use both videos and still photos.
• If possible, use detection equipment to help you find the best material and locations to take a sample.
• Tie every single sample to a place and time by using a detailed log. Give every sample a number.  Enabling the GPS-tagging on your video and photo equipment can help with this.
• Always use sterile containers.  And be sure you can document how you know the container is sterile.
• Always use sterile tools.  Cheap disposable tools are best.  If you need to use a tool for a second sample, it needs to be very thoroughly cleaned and you must have some procedure to ensure that it is sterile so as to avoid cross-contamination.
• Seal every container in a way so as to ensure that any tampering is evident.
• Keep a log of every sample, and maintain a chain of custody in documented form.  Make sure there are names, times, dates, and signatures whenever the sample changes hands.
• Always use blanks.
• Try to determine who and what may have been in the “crime scene” in the period of time between the incident and your investigation.

Obstacles to CBRN investigations in conflict areas.

CBRN warfare incidents, by definition, occur largely in war zones.  Areas of active armed conflict are, by definition, full of charged politics and strong opinions.  This is a challenging environment in which virtually every circumstance conspires against the ability to conduct an effective investigation.  The following points illustrate how savagely difficult this business can be and represent the basic obstacles to hinder the investigation.

1. Transitory nature of CBRN evidence.  Chemical warfare agents evaporate or degrade in the environment. Biological warfare agents are generally not visible to the naked eye.  Bacteria and viruses degrade quickly in nearly all field conditions.  Capturing a sample of gas or vapor isn’t easy even five minutes after it was released.  Gases and vapors drift away with the wind. Liquid agents evaporate.  Most CWAs suffer from hydrolysis (reaction with water).  Traces of biomarkers in blood and urine do not last forever after an incident.
2. Passage of time erodes any crime scene, large or small. This is a fundamental tenet of criminal investigation.  Things that were in the crime scene can be taken away, deliberately or inadvertently.  Things can be introduced into the crime scene that were not there during the incident. The passage of any amount of time between incident and collection of evidence gives scope for many potential issues, such as degradation of evidence, tampering or removal of evidence, or loss of witnesses.

3. Size and scope of the crime scene.  The size of a crime scene may be large, particularly when we are referring to agents and munitions that have widespread effects, such as a chemical or biological attack.  The area of suspected use might be populated with many people coming and going.  The traditional concept of trying to secure the scene(s) of the incident simply flies out the window in this type of environment.  The size of an incident could mean that a full investigation could easily eat up the services of over a hundred investigators, a figure that is logistically unreasonable in many circumstances.
4. Threats to the safety of the investigators.  Incidents that occur in active war zones mean that investigators may lack the ability to operate freely and unencumbered.  The investigators may be accompanied by security teams that may members of or who may be sympathetic to one side or another in the conflict.  An unsafe environment adds to stress on the investigators, which can detract from their efficiency and lead to increased probability of errors.
5. Conventional warfare will damage or destroy evidence.  The active and prolific use of conventional munitions means that many items of evidence may have been destroyed.  Fire, explosions, and other battlefield effects will destroy munition debris, degrade or disperse materials, or have other deleterious effects on potential evidence. Witnesses die or flee.
6. Proper procedures are hard to follow in an active war zone.  The forensically correct procedures in normal use in a criminal investigation are difficult to follow in a war zone.  Any reader will note that there will be a significant degree to which these procedures simply cannot apply in a situation such as this most recent incident.
7. Politics.  War is an extension of politics.  It is impossible to ignore the political aspects of the situation.  Some people clearly have made their minds up as to what happened, regardless of the physical findings.  People with nefarious agendas can be expected to concoct alternative narratives.
8. Distance to support – Property laboratory support is often very far from the scene of an incident.  Most of the work that a field team can do is presumptive rather than definitive.  A competent and well-equipped laboratory needs to backstop the field team.  In addition, a competent investigation will use a large volume of expendable materials, which could take days to resupply.

Types of Evidence – Where and What to look for:

Several have asked me what I would do if I was in charge of the investigation (and I am grateful that I am not), and if I had unlimited resources and access (available only in a fantasy world, I fear).  The following types of samples can be taken:

• Solid (including powders and soil)
• Liquid
• Aerosol / Vapor / Gas
• Surface (i.e. swabbing a surface to pick up traces)
• Dermal (i.e. residue on skin)

There are specific best practices and recommended types of equipment for each of the above categories.  Again, I refer readers to Mr. Drielak’s book for detailed procedures for each.

Every situation will be different. The list below is merely a suggestion for some of the types of situations I have seen:

1. An actual sample of the causative agent.  If at all possible, investigators need to find the murder weapon.  What CBRN substance(s) caused the situation? Powders and liquids may be easier to find than aerosols, vapors, or gases.  Gas/vapor/aerosol samples may require specialty equipment like evacuated cylinders, Tedlar bags, or thermal desorption tubes in order to take a sample.  The following is a non-exhaustive list of where to look for samples.
   1. Fragments and debris that may have been part of the weapon or device that was used to spread the material.
   2. Vegetation that may have some of the material on it or have been affected by the material.
   3. Corners and crevices in rooms and low lying areas where the attacks have occurred.
   4. The head-space of any bag or container containing rubbish from the time of the attack, with particular attention to any bag or container containing clothing, expended medical items or anything wet from decontamination water.
   5. Shoes of anyone who handled or treated victims.
   6. Gloves used by anyone who handled or treated victims.
   7. Any trapped air in burial shrouds or coffins of deceased victims.
   8. Dermal swabs of deceased victims.
   9. Expended medical material, such as face masks used to administer emergency oxygen, electrodes attached to skin for cardiac monitoring, or needles used to give injections or infusions.
   10. Any water that may have been used to Water in drains at any of the sites where victims were decontaminated. U-bends and traps in pipes and drains may contain some residue of a liquid chemical agent.
   11. Soil around any potential device or munition that is found that may have contained chemicals.
   12. In indoor settings, look for porous material, like carpets, window seals, refrigerator door gaskets, clothing, and such that might have absorbed a bit of material.
   13. Bodies of small animals that appear to have been killed by the incident.
   14. Background samples of air, soil, and water, from areas of the city where no victims were reported and no alleged chemical incidents occurred, for purposes of comparison.

2. Find the means of dispersal.  How did the CBRN material turn up?  How was it dispensed?  There needs to be a full search for expended ordnance or devices that may have been the means of dispersal. Intact or nearly intact devices are ideal, but need to be handled with utmost care.  Fragments are better than nothing. Devices that cannot be retrieved should be photographed, geo-located precisely, and measured.  Swabs and samples should be taken prior to collection.  The orientation of the device or fragments should be noted closely.  Use a compass to take a bearing.  Any device in the ground should be accompanied by samples of the soil, as well as a measurement as to how deep the munition was impacted into the soil.  Unknown fragments that look like they could be part of a device or munition are of interest as well.  Look for any of the following, in whole or part:
   1. Rocket
   2. Missile warhead
   3. Bomblet / submunitions
   4. Artillery shell
   5. Mortar shell
   6. Spray tank
   7. Aerial bomb
   8. Gas cylinders
   9. Grenades
   10. Land mine
   11. Any abandoned or wrecked tanker trucks

3. Medical evidence. Medical samples collected from alleged victims can be very useful.
   1. Blood
   2. Hair, to include samples from beards
   3. Urine
   4. Vomit
   5. Tears
   6. Saliva and nasal secretions
   7. Any clothing that would have been contaminated
   8. Swabs of affected areas of skin
   9. Any kind of statement about signs and symptoms by medical providers or bystanders
   10. Any kinds of vital signs or information recorded by medical providers, to include:

i.    Pulse rates

ii.    Temperatures

iii.    Blood pressures

iv.    Pulse oximetry (oxygen saturation of blood)

v.    Any laboratory work done

vi.    Medication administered and the response to that medication

4. Post-mortem evidence.  Every effort should be made to obtain the bodies of deceased victims of the incident for analysis by competent forensic pathologists.   Do not exhume graves without proper competence.
5. Photo/Video evidence:  Do victims have video or still photo evidence from the incident?  Of particular note are videos or photos that were not uploaded to media sites such as YouTube.  Every effort should be made to note the time and place of the video or photo. Videos and photos that cannot be correlated with time or place are of limited investigative value.
6. Witness statements.  Witness statements should be collected with as much detail as possible.  If possible, interview witnesses in isolation from each other to obtain independent accounts.  Some information that will be of investigative interest include:
   1. Location of the victim at the time of the attack. Investigators should start building a map.  Such a map could identify buildings or areas where large clusters of victims were affected, which should, in turn, be areas of priority focus for physical evidence collection.
   2. How far above or below ground was the victim at the time of onset of symptoms or when they noticed a chemical substance.  This can help to establish the vapor density of the chemical substance, i.e was it lighter or heavier than air?
   3. Odor/smell.  Did the odor go away or persist?  This is useful, as some chemicals eventually eradicate the victim’s ability to smell them.
   4. Medical signs and symptoms.  What signs and symptoms did the victim suffer from?  Use precise language.
   5. Sounds heard at the time.  Explosions, popping noises, silence? Different types of dissemination device may be associated with different sounds.
   6. Duration of symptoms.  How long did the symptoms last?
   7. Delayed onset.  Was there any delay in the onset of symptoms?
7. Weather data from the time of the incident. Meteorological data from the time of the incident(s) should be retrieved.  Bear in mind that general wind speed and direction data from an airport miles away may not be easily applicable to the exact locations of investigative interest.   It is unlikely that this data will be of the quality needed for any but the most basic assumptions.  Data from close to the alleged incident(s) is most useful.

Disclaimer:

1. CBRN situations are dangerous.  Attempt nothing unless you have protective equipment of sufficient type and quality.
2. Observe necessary EOD (explosive ordnance disposal) and chemical safety precautions at all times.
3. This paper is entirely composed of the author’s opinions.
4. I intend to periodically expand and update this document as time permits.