Cyber recovery forensics kit configured to maintain communication and send return malware

What is claimed is: 1 . A method comprising: detecting malware in a production system; generating a backup of the production system by a forensic engine that includes the malware; recovering the backup that includes the malware to a forensic infrastructure that includes a recovered system; while operating the recovered system that includes the malware in the forensic infrastructure, learning operational characteristics of the malware while allowing the malware to transmit communications to and/or receive communications from a malware host system; placing return malware into the data of the recovered system as new data based on the operational characteristics, wherein the return malware is configured to cause the malware to be transmitted to the malware host system, wherein the return malware is executed in the malware host system. 2 . The method of claim 1 , wherein the malware views the return malware as data of the recovered system. 3 . The method of claim 1 , wherein the operational characteristics include functions performed by the malware, timing of the functions, communications performed by the malware, data affected by the malware, evasion functions, or combination thereof. 4 . The method of claim 1 , further comprising configuring the return malware such that the malware transmits the return malware back to the malware host system. 5 . The method of claim 1 , wherein the recovered system comprises a working scenario that is prepared with false data. 6 . The method of claim 1 , wherein the return malware is configured to mitigate or reverse damage caused by the malware. 7 . The method of claim 1 , further comprising replacing data in the recovered system with false data and allowing the recovered system to operate in a live and connected manner. 8 . The method of claim 7 , wherein the recovered system is configured to operate normally. 9 . A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: detecting malware in a production system; generating a backup of the production system by a forensic engine that includes the malware; recovering the backup that includes the malware to a forensic infrastructure that includes a recovered system; while operating the recovered system that includes the malware in the forensic infrastructure, learning operational characteristics of the malware while allowing the malware to transmit communications to and/or receive communications from a malware host system; placing return malware into the data of the recovered system as new data based on the operational characteristics, wherein the return malware is configured to cause the malware to be transmitted to the malware host system, wherein the return malware is executed in the malware host system. 10 . The non-transitory storage medium of claim 9 , wherein the malware views the return malware as data of the recovered system. 11 . The non-transitory storage medium of claim 9 , wherein the operational characteristics include functions performed by the malware, timing of the functions, communications performed by the malware, data affected by the malware, evasion functions, or combination thereof. 12 . The non-transitory storage medium of claim 9 , further comprising configuring the return malware such that the malware transmits the return malware back to the malware host system. 13 . The non-transitory storage medium of claim 9 , wherein the recovered system comprises a working scenario that is prepared with false data. 14 . The non-transitory storage medium of claim 9 , wherein the return malware is configured to mitigate or reverse damage caused by the malware. 15 . The non-transitory storage medium of claim 9 , further comprising replacing data in the recovered system with false data and allowing the recovered system to operate in a live and connected manner. 16 . The non-transitory storage medium of claim 15 , wherein the recovered system is configured to operate normally. 17 . A method comprising: learning operational characteristics of multiple malware while allowing the multiple malware to communicate with corresponding malware host systems; and placing a return malware in a production system based on the operational characteristics of the multiple malware to cause, in the event of an attack by malware on the production system, the malware to transmit the return malware to a malware host system, wherein the return malware is executed at the malware host system and is placed in the production system prior to the attack. 18 . The method of claim 17 , wherein the return malware is transmitted prior to detecting the malware at the production system. 19 . The method of claim 17 , further comprising altering the return malware and/or a manner in which the return malware is placed as additional operational characteristics become available. 20 . The method of claim 17 , further comprising detecting the malware and generating a snapshot of a production system that includes the malware, wherein the snapshot is recovered and run in a working scenario to learn the operational characteristics of the malware.