I haven't done much of this before, but i have the book Windows Forensics Analysis and I've read through it a couple of times. I recommend you dl a pdf of it and list through the index for a few pages that might be of interest for you.
What I found:
First off, you should have gotten an image of all processes memory before shutting off the computer, if you haven't done so, smack yourself hard in the back of the head, because you've just destroyed some very useful data. WFA lists a number of methods for what to do with it. Main idea is to get a picture of what was going on inside the RAT process and other processes during the attack.
You should also still have the RAT executable, see if reverse engineer it even a bit, you can maybe get an address, keys, or anything else of value.
Next thing you can try is all the various log files, namely;
The win Event Logs may be a primary source of information for you. The Event Viewer will show you a large list of what went on inside the system.
Though this is listed under the Windows 2000 through XP, it might still apply. The key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<Event Log> has options for event log files such as file size, how long the record is maintained, etc. might wanna see if any of those were edited (WFA 255).
The Windows firewall (WFA lists this section only as 'XP Firewall Logs', though i bet that there is a firewall service running on win 7 and you might have had it running if you didn't disable). General idea is that it should have recorded some trace of the outgoing or incoming communication of the RAT.
Another interesting thing is crash dumps in which the entire contents of the process' RAM is stored in a file on disk (WFA pg 114, 290). If the attacker crashed anything in the process in infection, you might find something funny in the files. Also if he screwed around with any of the commands, you might find crash files.
the windows registry has the time of LastWrite for each registry key. By sorting all registry keys by LastWrite time, you can get an idea of what keys the RAT or the attacker might have edited, clumsily generated, or even erased (WFA pg 168). How you access those, i'm not entirely positive, google for a tool for it. I think WFA actually comes with a perl script on a cd to do this for you.
See what works best.