CBRN forensics: Proving an incident occurred and proving who did it

The issue of legal and procedural forensics does not come up very often in this publication. However, the collection, handling, storage, and exploitation of evidence of use of chemical, biological, radiological, or nuclear (CBRN) weapons and materials is actually an issue of vital importance. The idea that forensics is something that police and courts need to worry about but not soldiers and diplomats is outdated. The ability to establish the veracity of alleged use of CBRN weapons is important, as is the ability to identify perpetrators. These two tasks are the main purpose of CBRN forensics as an emerging discipline.

Verification of claims and incidents

The first reason why proper forensics is needed in acts of warfare or terrorism is to actually establish if a CBRN material has been used. Suspected use of CBRN materials may be a war crime, the start of a war, an escalation to a war, or a dreadful terrorist attack. However, merely claiming or believing that CBRN materials were used is often not as easy as it may sound to the layperson. Gases, vapours, or aerosols may disperse. Smoke could be mistaken for a toxic attack. Various kinds of sickness could have natural or, at least, non-CBRN causes. Indications on CBRN detection instruments may be true or may be false indications. Malfunctions are not unknown. Even true indications on detection instruments may be false depictions of CBRN use. For example, Hydrogen Cyanide and Phosgene, both chemical warfare agents, might be produced in fires in residential or industrial buildings. A radiation reading could be induced by a natural source. Since CBRN use is such a provocation, it is rather important to establish what actually happened and provide some credible proof. This is where forensics come into play.

The world has seen such scenarios in the past. Are reports of people having difficulty breathing after an artillery attack simply smoke? Or are they the result of chemical weapons? Are the civilian victims of a rocket attack dead from a nerve agent? Or is it a misunderstanding and they died from conventional means? These are serious questions asked in 2013 and 2017 in Syria and they need the sort of answers than can be reinforced by forensic science. In the current Russia-Ukraine conflict there have been some incidents of chemical use by Russians validated by evidence, but there have been many hundreds, if not more, claimed incidents that simply could be verified because of insufficient evidence.

The verification of use is especially important in an era of social media, misinformation, and disinformation. For every valid or plausible claim of CBRN use in recent conflicts, there have been false claims, both well-intentioned and malicious. Making the other side in a conflict appear to be engaging in forbidden conduct is an old tactic that has gained more traction in the age of social media. Verification of what substance actually was used is also important. Appropriate medical treatment may rely on accurate identification of a substance. A lesser material such as tear gas may have been mistaken for something more dangerous. Indeed, this is one reason why putatively non-lethal tear gases are banned in warfare.

Attribution

As well as verifying that an incident actually happened, CBRN forensics has a strong role to play in identifying who the perpetrator of an incident was. This may be at the strategic level (identifying which side in a conflict did it), the tactical level (which unit did it), or even the individual level (what soldier or terrorist did it.) With instances of chemical weapon usage in the Syrian civil war, there were numerous claims as to who actually used various chemical weapons. The large majority of such claims were gradually proven false, but it was both chemical and non-chemical evidence that allowed for the attribution of attacks to, almost entirely, the Syrian regime (a Sulphur Mustard incident was attributed to IS, but the vast majority of chemical incidents were attributed to the Assad regime).

One critical aspect of attribution is that not all of the focus should be on the technical CBRN aspects of the collected evidence. Often, it may be non-CBRN elements of evidence that actually provide crucial details as to who perpetrated the attack. Finding a dead body at the scene of a terrorist incident with the nerve agent Sarin on its clothing and finding relevant chemical markers of Sarin in the blood of the victim is fairly useful in establishing that the victim died from nerve agent exposure. But that information does not easily reside in just the chemical agent itself. What if the evidence is on fragments of the device? Or on a smartphone of a victim, now covered in nerve agent?

The same type of logic applies to battlefield use. Who fired the artillery rounds with the Sarin? Who dropped the bombs? Analysis of shell craters or analysis of fragments of the munitions, not the chemical agent, is needed to develop a full picture of who may have performed the war crime. In both war crimes and terrorism, the analytical CBRN laboratory that identifies the chemical agent may not be able to analyse non-CBRN evidence. Fingerprints, fibre, and DNA evidence from a fragment of the device or munition may have evidentiary value. The smartphone of a victim could hold much useful information, but the criminology laboratory that could easily derive that information might not be able to safely handle nerve agents, or may not be legally allowed to process such evidence.

How does CBRN forensics work? Types of evidence

Forensic science in CBRN warfare and terrorism needs to follow the same basic approaches as forensic evidence in conventional criminology. CBRN forensics consists of collecting evidence from a potentially contaminated crime scene in a way that scientifically preserves the evidence in a way that protects the ability to extract information at some future point as well as doing so in a way that is resistant to administrative or legal challenge. It seems odd to some to talk about warfare and evidence using legal and procedural language, but use of chemical weapons is a war crime, war crimes can lead to tribunals, terrorism can lead to trials, and use of such weapons can be used as an excuse to start or escalate a war. So, it pays off in abundance to get the evidence right, from the beginning.

There are a number of broad categories of relevant CBRN evidence. For each category there are preferred tactics, techniques, procedures, and equipment that range from very simple to nearly esoteric. Gas, vapour, and aerosol samples are one category, and represent a difficult type of evidence. Finding the right point to collect a sample will be difficult, and due to environmental conditions, such samples are the most time-sensitive.

Solid and liquid samples are more straightforward. The two categories can often be found co-mingled. For example, soil or clothing samples could be soaked in a liquid agent. Surface swabs and swipes are useful for detecting very small amounts of material. Such samples were useful in the 2006 Litvinenko investigation and the 2018 Skripal investigation in the UK.

It is important to note that there is, potentially, a biomedical component to CBRN evidence. Some of the evidence may be in the form of dead people or dead animals; biomedical evidence from living or dead people or animals, in the form of hair, blood, urine, swabs from skin, and tissues has been revelatory in past investigations. In the Khan Sheikhoun Sarin attack in 2017, for example, necropsy of dead animals helped prove that Sarin was used in the attack, which killed at least 58 people. The biochemical processes and the ‘biomarkers’ that are the targets of such investigations are well-documented in the scientific literature.

Conventional evidence from an incident scene, possibly contaminated with CBRN material is yet another (and often overlooked) category, as discussed earlier. Finally, an investigation should not disregard electronic evidence. This may include video, social media posts, geolocation data from mobile devices, and actual physical exploitation of electronic devices found at an incident scene.

Integrity of evidence

Materials collected in an investigation need both physical and procedural integrity if they are going to be able to be processed in a way that yields information that is useful. Physical integrity means being able to keep the collected material (or virtual evidence, in the case of electronic evidence) in storage in a way that preserves it and protects it from cross-contamination, until it can be properly examined in laboratory conditions.

The best way to look at the CBRN forensics problem is to assume that a very good lawyer is defending the perpetrator in court and questioning every single bit of evidence, how it was collected, the tools used, and how the evidence was handled after collection. Good defence counsel already does this in murder investigations and drug cases. People who were likely guilty of crimes have been let go because of problems with the integrity of the evidence.

Several countermeasures can be taken to ensure the integrity of the evidence. All of the processes, tools, procedures, PPE, and containers involved need to be used in a way that minimises cross-contamination. As an example, using the same shovel to fill a hundred different bags at four different sites could really cause procedural problems through cross-contamination. Documented and verifiable sterility of containers and tools is a useful safeguard. So is the use of blank samples (items not used in the collection effort but submitted and processed as evidence) and control samples (similar materials to those collected but from outside a crime scene) are useful methods for protecting the integrity of evidence.

National and international efforts

Thirty years ago, there was a void in this space. Incidents such as the Tokyo subway Sarin attacks in 1996 and the Amerithrax investigation in 2001 pointed out the procedural voids between military CBRN detection and the needs of criminal investigation. Some countries have come a long way, and numerous countries field Sampling and Identification of Biological, Chemical, and Radiological Agents (SIBCRA) teams, and there are specialist NATO capabilities. In the civil sector, efforts very greatly. Some countries, like the USA (which has dedicated FBI teams for exactly this task) and the UK (police CBRN teams) have sunk much development effort into CBRN forensics. In some other countries, the situation is dire. Some countries still manage to deal with CBRN incidents as only a public safety matter (vitally important) but neglect the legal aspects. Your correspondent has watched firefighters literally wash the fragments of a terrorist device down the drain during an exercise in an EU country.

One niche area worth mentioning is nuclear forensics. The US government has sunk great effort into this particular area. The Americans have been spending decades on devoting some of the vast nuclear weapon industrial infrastructure to an interesting technical question. The US now has labs and expertise able to examine the residue of a nuclear explosion, or failed or disarmed nuclear device (it is thought that improvised nuclear devices will have a high rate of failure) and determining the origin of the fissile material.

Some bilateral and international efforts have been underway to improve the situation. Interpol has spent several years (and had your correspondent serve on an advisory panel) developing and promulgating elementary guidelines. These guidelines for chemical incidents represent a good basis for development of local processes in countries that are years or decades behind in this subject. The European Union has fostered several projects in CBRN forensics, both within the EU (such as FP7’s Project GIFT led by the Netherlands) and as part of the EU’s efforts to spread knowledge through the EU CBRN Centres of Excellence (such as Projects 57 and 58). The International Atomic Energy Agency (IAEA) has also done work to spread knowledge on nuclear forensics.

Products and prosecution

Forensics is not a market segment that is particularly dense with specialist products. Much of the work can, in fact, be done with generic products as long as the various provisos of sterility, integrity, and chain of custody are observed. A glass jar is, at the end of the day, just a glass jar. However, this is not to say that there are not products or technologies available to help in this area. Saab (Sweden) has a well-regarded CBRN sampling kit designed as a ready-made technical solution in this area. HotZone Solutions (NL) produces ‘The Identifier’ sampling kit. Quick Silver Analytics (USA) has developed and sold similar kits in the US market. In all of these circumstances, these are, in effect, product bundles of fairly generic equipment items available from a wide variety of vendors and there is no practical obstacle to an end-user making their own kits. While field and portable CBRN detection instruments often do not represent a final step in CBRN forensics, they are crucial to processing a crime scene. However, these instruments have been well covered in several previous articles in this magazine.

Prosecutions and trials are rare in this arena, and the ones that have happened have tended to be ones involving breaking of sanctions. In such cases, financial evidence and paper trails were often the evidence. However, it is only a matter of time before it will happen. Indeed, with information coming out from Syria, it may happen sooner than anyone had expected; but we do not want to see situations where perpetrators escape justice due to faulty processes.

Dan Kaszeta