SanDisk SecureAccess 3.0 passwrod bypass !!

hey there
i work with a company for security and forensics ,,,, so the court send us a USB protected with password ( sandisk USB ) i try to use some software methods to bypass the password work's with v1 and v2 only they didn't work with U3 D
and i cant lunch brute force attack Because of the self-destruct feature ]
so i decided to use hardware solution and i got this ,,,,,

In a USB thumb drive you esentially have a controller chipset and flash memory. Encryption aside (which is another issue) in U3 devices, as discussed, the controller presents itself to the host as two separate devices, a CD-ROM device and a removable storage device. When security is implemented in these devices, only the CD-ROM device and CDFS are presented to the file system where some software resides controlling access to the removable storage device. The removable storage device component of the U3 is not accessible by the host and does not even appear on the bus until this security mechanism allows it. You therefore cannot take a physical image or start to try to brute force encrytion. You don't even have access to it. In most cases, if you enter the password incorrectly a number of times, the control chipset will initiate the entire flash memory being overwritten.

You cannot just remove the control chipset and replace it. Flash memory implements wear leveling through this chipset
en.wikipedia.org/wiki/Wear_leveling
This means the chipset keeps track of which parts of the flash memory have been used the most and re-maps data to different parts of the physical flash memory to even things out. The data is not stored contiguously on the flash memory, so if you change the controller, it will have no idea about the order data is stored in on the flash media.

Here are the best ways around this that I have found

Easier
- take advantage of poor implementations as others have found
- check pagefile and hiberfile for passwords or find some other way to get the password

Harder
- if you trigger the wipe process (which also clears the pw), you can sometimes kill power to the device before it has a chance to overwrite all the storage space. You then may have access to unallocated space and carve away, however this will overwrite some data and is taking advantage of a poor implementation. This may be fixed in newer implementations by having a flag in the controller that only allows access back to the removable device when overwrite is complete and just resumes overwrite on power up. To perfect this technique, get an electrical engineer to work with you to monitor power consumption of the U3 device chipset to characterise when the overwrite begins, it should be a big sustained jump in power as the control chip initiates overwriting of all blocks. You can then develop an automated way to cut power within a millisecond of the overwrite process starting and maximise available data.

Hardest
- identify the control chipset and work with an electrical engineer to reverse engineer the chipset. Identify the tables where the mapping for wear leveling is being stored and reverse engineer this by comparing data read directly from the flash memory modules to a physical image of the flash taken through the USB interface. Then, once you have identified the location of wear leveling data, copy it out of the control chipset of your locked device and into the same location on an unlocked control chipset. Swap the chipsets over and cross your fingers. I've never done this, its a theory and all these techniques should be tried on test media first. Its not easy stuff, its hard and takes a lot of time and a lot of resources.

I've also had some success with the power cutting technique on locked SD cards and been able to carve out lots of pictures from unallocated space. Hope this helps someone out there